From 8ba60aab59b687ea3336ef9de0df814472881c18 Mon Sep 17 00:00:00 2001
From: sn0w0tter <42819997+sn0w0tter@users.noreply.github.com>
Date: Thu, 21 Nov 2019 02:07:40 +0100
Subject: [PATCH] markdown + analytics regenerated

---
 .../Customers/CU_0001_TESTCUSTOMER.md         |    2 +-
 .../Detection_Rules/av_exploiting.md          |   35 +
 .../Detection_Rules/av_password_dumper.md     |   35 +
 .../Detection_Rules/av_relevant_files.md      |   35 +
 .../Detection_Rules/av_webshell.md            |   35 +
 .../powershell_data_compressed.md             |   35 +
 .../powershell_downgrade_attack.md            |   35 +
 .../powershell_exe_calling_ps.md              |   35 +
 .../powershell_malicious_commandlets.md       |   35 +
 .../powershell_malicious_keywords.md          |   35 +
 .../powershell_ntfs_ads_access.md             |   35 +
 .../powershell_prompt_credentials.md          |   35 +
 .../Detection_Rules/powershell_psattack.md    |   35 +
 .../powershell_shellcode_b64.md               |   35 +
 .../powershell_suspicious_download.md         |   35 +
 ...owershell_suspicious_invocation_generic.md |   35 +
 ...wershell_suspicious_invocation_specific.md |   35 +
 .../powershell_suspicious_keywords.md         |   35 +
 .../powershell_winlogon_helper_dll.md         |   35 +
 .../Detection_Rules/sysmon_ads_executable.md  |    7 +-
 .../Detection_Rules/sysmon_cactustorch.md     |    7 +-
 .../Detection_Rules/sysmon_cmstp_execution.md |   10 +-
 .../sysmon_cobaltstrike_process_injection.md  |   31 +-
 .../Detection_Rules/sysmon_dhcp_calloutdll.md |    8 +-
 .../sysmon_dns_serverlevelplugindll.md        |    9 +-
 .../sysmon_ghostpack_safetykatz.md            |    5 +-
 ...on_logon_scripts_userinitmprlogonscript.md |   71 +-
 .../Detection_Rules/sysmon_lsass_memdump.md   |    7 +-
 .../Detection_Rules/sysmon_mal_namedpipes.md  |    7 +-
 .../sysmon_malware_backconnect_ports.md       |   14 +-
 .../sysmon_malware_verclsid_shellcode.md      |    5 +-
 .../sysmon_mimikatz_detection_lsass.md        |    8 +-
 .../sysmon_mimikatz_inmemory_detection.md     |    3 +-
 .../sysmon_mimikatz_trough_winrm.md           |    7 +-
 .../sysmon_password_dumper_lsass.md           |   10 +-
 .../sysmon_powershell_exploit_scripts.md      |    5 +-
 .../sysmon_powershell_network_connection.md   |   17 +-
 .../sysmon_quarkspw_filedump.md               |    5 +-
 .../sysmon_rdp_reverse_tunnel.md              |   17 +-
 .../sysmon_rdp_settings_hijack.md             |   13 +-
 ...sysmon_registry_persistence_key_linking.md |   95 +
 .../sysmon_renamed_powershell.md              |    9 +-
 .../sysmon_renamed_procdump.md                |   96 +
 .../Detection_Rules/sysmon_renamed_psexec.md  |   23 +-
 .../sysmon_rundll32_net_connections.md        |   14 +-
 .../sysmon_ssp_added_lsa_config.md            |    7 +-
 .../sysmon_stickykey_like_backdoor.md         |   11 +-
 .../sysmon_susp_download_run_key.md           |   95 +
 .../sysmon_susp_driver_load.md                |   11 +-
 .../sysmon_susp_file_characteristics.md       |    8 +-
 .../Detection_Rules/sysmon_susp_image_load.md |    7 +-
 .../sysmon_susp_lsass_dll_load.md             |   98 +
 .../sysmon_susp_powershell_rundll32.md        |    7 +-
 ...n_susp_prog_location_network_connection.md |    5 +-
 .../Detection_Rules/sysmon_susp_rdp.md        |   22 +-
 .../sysmon_susp_reg_persist_explorer_run.md   |    7 +-
 .../sysmon_susp_run_key_img_folder.md         |   30 +-
 .../sysmon_suspicious_keyboard_layout_load.md |   98 +
 .../sysmon_svchost_dll_search_order_hijack.md |  107 +
 .../sysmon_sysinternals_eula_accepted.md      |   10 +-
 .../sysmon_tsclient_filewrite_startup.md      |    7 +-
 .../sysmon_uac_bypass_eventvwr.md             |    7 +-
 .../sysmon_uac_bypass_sdclt.md                |    7 +-
 .../sysmon_webshell_creation_detect.md        |  115 +
 .../sysmon_win_binary_github_com.md           |   14 +-
 .../sysmon_win_binary_susp_com.md             |   14 +-
 .../sysmon_win_reg_persistence.md             |   19 +-
 .../sysmon_wmi_event_subscription.md          |    5 +-
 ..._persistence_commandline_event_consumer.md |    3 +-
 ...persistence_script_event_consumer_write.md |    3 +-
 .../sysmon_wmi_susp_scripting.md              |    7 +-
 .../Detection_Rules/win_GPO_scheduledtasks.md |   35 +
 .../win_account_backdoor_dcsync_rights.md     |   35 +
 .../Detection_Rules/win_account_discovery.md  |   35 +
 .../Detection_Rules/win_admin_rdp_login.md    |   35 +
 .../Detection_Rules/win_admin_share_access.md |   35 +
 ...win_alert_active_directory_user_control.md |   35 +
 .../win_alert_ad_user_backdoors.md            |   35 +
 .../win_alert_enable_weak_encryption.md       |   35 +
 .../Detection_Rules/win_alert_lsass_access.md |   35 +
 .../win_alert_mimikatz_keywords.md            |   35 +
 .../Detection_Rules/win_alert_ruler.md        |   35 +
 .../Detection_Rules/win_apt_bluemashroom.md   |   37 +-
 .../Detection_Rules/win_apt_mustangpanda.md   |   37 +-
 .../Detection_Rules/win_atsvc_task.md         |   35 +
 .../win_attrib_hiding_files.md                |   35 +
 .../Detection_Rules/win_av_relevant_match.md  |   35 +
 .../Detection_Rules/win_bypass_squiblytwo.md  |   35 +
 .../win_change_default_file_association.md    |   35 +
 .../Detection_Rules/win_cmdkey_recon.md       |   37 +-
 .../win_cmstp_com_object_access.md            |   35 +
 .../Detection_Rules/win_control_panel_item.md |   37 +-
 .../win_data_compressed_with_rar.md           |   35 +
 .../Detection_Rules/win_dcsync.md             |   35 +
 .../win_disable_event_logging.md              |   35 +
 .../win_encoded_frombase64string.md           |   35 +
 .../Detection_Rules/win_encoded_iex.md        |   35 +
 .../Detection_Rules/win_etw_trace_evasion.md  |   37 +-
 .../win_exploit_cve_2015_1641.md              |   37 +-
 .../win_exploit_cve_2017_0261.md              |   37 +-
 .../win_exploit_cve_2017_11882.md             |   37 +-
 .../win_exploit_cve_2017_8759.md              |   37 +-
 .../win_exploit_cve_2019_1378.md              |   35 +
 .../win_exploit_cve_2019_1388.md              |   35 +
 .../Detection_Rules/win_hack_rubeus.md        |   37 +-
 .../Detection_Rules/win_hack_smbexec.md       |   35 +
 .../Detection_Rules/win_hwp_exploits.md       |   37 +-
 .../win_impacket_lateralization.md            |   35 +
 .../win_impacket_secretdump.md                |   35 +
 .../win_install_reg_debugger_backdoor.md      |   37 +-
 ...d_party_drivers_exploits_token_stealing.md |   35 +
 .../Detection_Rules/win_lethalhta.md          |   37 +-
 .../Detection_Rules/win_lm_namedpipe.md       |   35 +
 ...in_local_system_owner_account_discovery.md |   35 +
 .../Detection_Rules/win_mal_adwind.md         |   37 +-
 .../Detection_Rules/win_mal_creddumper.md     |   37 +-
 .../Detection_Rules/win_mal_ryuk.md           |   37 +-
 .../win_mal_service_installs.md               |   35 +
 .../Detection_Rules/win_mal_ursnif.md         |   35 +
 .../Detection_Rules/win_mal_wceaux_dll.md     |   37 +-
 .../Detection_Rules/win_malware_dridex.md     |   37 +-
 .../Detection_Rules/win_malware_dtrack.md     |   37 +-
 .../Detection_Rules/win_malware_emotet.md     |   37 +-
 .../Detection_Rules/win_malware_formbook.md   |   35 +
 .../Detection_Rules/win_malware_notpetya.md   |   37 +-
 .../Detection_Rules/win_malware_qbot.md       |   37 +-
 .../win_malware_script_dropper.md             |   37 +-
 .../Detection_Rules/win_malware_wannacry.md   |   37 +-
 .../Detection_Rules/win_mavinject_proc_inj.md |   37 +-
 .../Detection_Rules/win_mmc_spawn_shell.md    |   37 +-
 .../Detection_Rules/win_mshta_spawn_shell.md  |   37 +-
 .../win_multiple_suspicious_cli.md            |   37 +-
 .../Detection_Rules/win_net_ntlm_downgrade.md |   37 +-
 .../Detection_Rules/win_netsh_fw_add.md       |   37 +-
 .../win_netsh_packet_capture.md               |   35 +
 .../Detection_Rules/win_netsh_port_fwd.md     |   37 +-
 .../win_netsh_port_fwd_3389.md                |   37 +-
 .../Detection_Rules/win_network_sniffing.md   |   35 +
 .../Detection_Rules/win_office_shell.md       |   37 +-
 ...n_office_spawn_exe_from_users_directory.md |   37 +-
 .../Detection_Rules/win_overpass_the_hash.md  |   35 +
 .../Detection_Rules/win_pass_the_hash.md      |   37 +-
 .../Detection_Rules/win_pass_the_hash_2.md    |   35 +
 .../win_plugx_susp_exe_locations.md           |   37 +-
 .../win_possible_applocker_bypass.md          |   35 +
 .../win_powershell_amsi_bypass.md             |   37 +-
 .../win_powershell_b64_shellcode.md           |   37 +-
 .../win_powershell_dll_execution.md           |   35 +
 .../win_powershell_download.md                |   37 +-
 ...wershell_suspicious_parameter_variation.md |   37 +-
 .../win_powershell_xor_commandline.md         |   37 +-
 .../win_powersploit_empire_schtasks.md        |   37 +-
 .../Detection_Rules/win_proc_wrong_parent.md  |   37 +-
 ...win_process_creation_bitsadmin_download.md |   37 +-
 .../Detection_Rules/win_psexesvc_start.md     |   35 +
 .../Detection_Rules/win_query_registry.md     |   35 +
 .../win_ransomware_shadowcopy.md              |   37 +-
 .../win_rare_schtask_creation.md              |   35 +
 .../win_rare_schtasks_creations.md            |   35 +
 .../win_rare_service_installs.md              |   35 +
 .../win_rdp_bluekeep_poc_scanner.md           |   35 +
 .../win_rdp_localhost_login.md                |   35 +
 .../win_rdp_potential_cve-2019-0708.md        |   35 +
 .../Detection_Rules/win_rdp_reverse_tunnel.md |   35 +
 .../Detection_Rules/win_renamed_binary.md     |   35 +
 .../Detection_Rules/win_renamed_paexec.md     |   35 +
 .../win_sdbinst_shim_persistence.md           |   37 +-
 .../Detection_Rules/win_service_execution.md  |   35 +
 .../win_shell_spawn_susp_program.md           |   35 +
 .../Detection_Rules/win_spn_enum.md           |   35 +
 .../win_susp_add_sid_history.md               |   37 +-
 .../Detection_Rules/win_susp_backup_delete.md |   35 +
 .../Detection_Rules/win_susp_bcdedit.md       |   35 +
 .../Detection_Rules/win_susp_bginfo.md        |   35 +
 .../Detection_Rules/win_susp_calc.md          |   37 +-
 .../Detection_Rules/win_susp_cdb.md           |   35 +
 .../win_susp_certutil_command.md              |   37 +-
 .../win_susp_certutil_encode.md               |   37 +-
 .../Detection_Rules/win_susp_cli_escape.md    |   37 +-
 .../win_susp_cmd_http_appdata.md              |   37 +-
 .../win_susp_codepage_switch.md               |   37 +-
 .../win_susp_commands_recon_activity.md       |   37 +-
 .../win_susp_compression_params.md            |   35 +
 .../win_susp_comsvcs_procdump.md              |   35 +
 .../win_susp_control_dll_load.md              |   37 +-
 .../Detection_Rules/win_susp_csc.md           |   37 +-
 .../Detection_Rules/win_susp_csc_folder.md    |   37 +-
 .../win_susp_devtoolslauncher.md              |   35 +
 .../Detection_Rules/win_susp_dhcp_config.md   |   35 +
 .../win_susp_dhcp_config_failed.md            |   37 +-
 .../Detection_Rules/win_susp_dns_config.md    |   37 +-
 .../Detection_Rules/win_susp_dnx.md           |   35 +
 .../win_susp_double_extension.md              |   37 +-
 .../win_susp_dsrm_password_change.md          |   35 +
 .../Detection_Rules/win_susp_dxcap.md         |   35 +
 .../win_susp_eventlog_clear.md                |   35 +
 .../win_susp_eventlog_cleared.md              |   35 +
 .../Detection_Rules/win_susp_exec_folder.md   |   37 +-
 .../win_susp_execution_path.md                |   37 +-
 .../win_susp_execution_path_webserver.md      |   37 +-
 .../win_susp_failed_logon_reasons.md          |   35 +
 .../win_susp_failed_logons_single_source.md   |   37 +-
 .../win_susp_firewall_disable.md              |   37 +-
 .../Detection_Rules/win_susp_fsutil_usage.md  |   35 +
 .../Detection_Rules/win_susp_gup.md           |   37 +-
 .../win_susp_interactive_logons.md            |   37 +-
 .../win_susp_iss_module_install.md            |   37 +-
 .../win_susp_kerberos_manipulation.md         |   37 +-
 .../Detection_Rules/win_susp_lsass_dump.md    |   35 +
 .../win_susp_mshta_execution.md               |   37 +-
 .../Detection_Rules/win_susp_msiexec_cwd.md   |   37 +-
 .../win_susp_msiexec_web_install.md           |   37 +-
 .../Detection_Rules/win_susp_msmpeng_crash.md |   35 +
 .../Detection_Rules/win_susp_msoffice.md      |   35 +
 .../Detection_Rules/win_susp_net_execution.md |   37 +-
 .../win_susp_net_recon_activity.md            |   35 +
 .../Detection_Rules/win_susp_ntdsutil.md      |   37 +-
 .../Detection_Rules/win_susp_ntlm_auth.md     |   35 +
 .../Detection_Rules/win_susp_odbcconf.md      |   35 +
 .../Detection_Rules/win_susp_openwith.md      |   35 +
 .../Detection_Rules/win_susp_outlook.md       |   37 +-
 .../Detection_Rules/win_susp_outlook_temp.md  |   37 +-
 .../Detection_Rules/win_susp_ping_hex_ip.md   |   37 +-
 .../win_susp_powershell_empire_launch.md      |   37 +-
 .../win_susp_powershell_empire_uac_bypass.md  |   37 +-
 .../win_susp_powershell_enc_cmd.md            |   37 +-
 .../win_susp_powershell_hidden_b64_cmd.md     |   37 +-
 .../win_susp_powershell_parent_combo.md       |   35 +
 .../Detection_Rules/win_susp_procdump.md      |   37 +-
 .../win_susp_process_creations.md             |   37 +-
 .../win_susp_prog_location_process_starts.md  |   37 +-
 .../Detection_Rules/win_susp_ps_appdata.md    |   37 +-
 .../Detection_Rules/win_susp_psexec.md        |   35 +
 .../win_susp_psr_capture_screenshots.md       |   35 +
 .../win_susp_raccess_sensitive_fext.md        |   35 +
 .../win_susp_rasdial_activity.md              |   37 +-
 .../Detection_Rules/win_susp_rc4_kerberos.md  |   35 +
 .../win_susp_recon_activity.md                |   37 +-
 .../win_susp_regsvr32_anomalies.md            |   37 +-
 .../Detection_Rules/win_susp_rottenpotato.md  |   35 +
 .../Detection_Rules/win_susp_run_locations.md |   37 +-
 .../win_susp_rundll32_activity.md             |   37 +-
 .../win_susp_rundll32_by_ordinal.md           |   37 +-
 .../Detection_Rules/win_susp_sam_dump.md      |   35 +
 .../Detection_Rules/win_susp_samr_pwset.md    |   35 +
 .../win_susp_schtask_creation.md              |   35 +
 .../win_susp_script_execution.md              |   37 +-
 .../Detection_Rules/win_susp_sdelete.md       |   37 +-
 .../win_susp_security_eventlog_cleared.md     |   37 +-
 .../win_susp_squirrel_lolbin.md               |   37 +-
 .../Detection_Rules/win_susp_svchost.md       |   37 +-
 .../win_susp_sysprep_appdata.md               |   37 +-
 .../Detection_Rules/win_susp_sysvol_access.md |   37 +-
 .../win_susp_taskmgr_localsystem.md           |   35 +
 .../win_susp_taskmgr_parent.md                |   37 +-
 .../win_susp_time_modification.md             |   35 +
 .../win_susp_tscon_localsystem.md             |   35 +
 .../win_susp_tscon_rdp_redirect.md            |   37 +-
 .../win_susp_userinit_child.md                |   37 +-
 .../win_susp_vssadmin_ntds_activity.md        |   37 +-
 .../Detection_Rules/win_susp_whoami.md        |   35 +
 .../Detection_Rules/win_susp_wmi_execution.md |   37 +-
 .../win_svcctl_remote_service.md              |   35 +
 .../win_sysmon_driver_unload.md               |   35 +
 .../Detection_Rules/win_system_exe_anomaly.md |   37 +-
 .../win_termserv_proc_spawn.md                |   35 +
 .../Detection_Rules/win_tool_psexec.md        |   37 +-
 .../Detection_Rules/win_usb_device_plugged.md |   37 +-
 .../win_user_added_to_local_administrators.md |   35 +
 .../Detection_Rules/win_user_creation.md      |   35 +
 .../win_vul_java_remote_debugging.md          |   37 +-
 .../Detection_Rules/win_webshell_detection.md |   37 +-
 .../Detection_Rules/win_webshell_spawn.md     |   37 +-
 .../win_win10_sched_task_0day.md              |   37 +-
 ...n_wmi_backdoor_exchange_transport_agent.md |   37 +-
 .../Detection_Rules/win_wmi_persistence.md    |   37 +-
 ...n_wmi_persistence_script_event_consumer.md |   37 +-
 .../win_wmi_spwns_powershell.md               |   37 +-
 .../Detection_Rules/win_workflow_compiler.md  |   37 +-
 .../win_xsl_script_processing.md              |   35 +
 analytics/generated/analytics.csv             | 8397 ++++-------------
 analytics/generated/atc_es_index.json         |  996 +-
 .../atc_attack_navigator_profile.json         |    2 +-
 analytics/generated/pivoting.csv              | 2096 ++--
 284 files changed, 12385 insertions(+), 8510 deletions(-)
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_registry_persistence_key_linking.md
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_keyboard_layout_load.md
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_svchost_dll_search_order_hijack.md
 create mode 100644 Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md

diff --git a/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md b/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
index 6eddac4..0ef917d 100644
--- a/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
+++ b/Atomic_Threat_Coverage/Customers/CU_0001_TESTCUSTOMER.md
@@ -4,4 +4,4 @@
 | Description 		| Some text description here. It will be merged into one line. |
 | Data Needed    |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
 | Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
-| Detection Rule | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[Suspicious XOR Encoded PowerShell Command Line](../Detection_Rules/powershell_xor_commandline.md)</li><li>[Hiding files with attrib.exe](../Detection_Rules/win_attrib_hiding_files.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
\ No newline at end of file
+| Detection Rule | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[Suspicious XOR Encoded PowerShell Command Line](../Detection_Rules/win_powershell_xor_commandline.md)</li><li>[Hiding files with attrib.exe](../Detection_Rules/win_attrib_hiding_files.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |
\ No newline at end of file
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md b/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
index 36826aa..b682770 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/av_exploiting.md
@@ -59,6 +59,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Exploitation-Framework-Detection <<EOF\n{\n  "metadata": {\n    "title": "Antivirus Exploitation Framework Detection",\n    "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework",\n    "tags": [\n      "attack.execution",\n      "attack.t1203",\n      "attack.command_and_control",\n      "attack.t1219"\n    ],\n    "query": "Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Signature.keyword:(*MeteTool* OR *MPreter* OR *Meterpreter* OR *Metasploit* OR *PowerSploit* OR *CobaltSrike* OR *Swrort* OR *Rozena* OR *Backdoor.Cobalt*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Antivirus Exploitation Framework Detection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n    User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Signature.keyword:(*MeteTool* *MPreter* *Meterpreter* *Metasploit* *PowerSploit* *CobaltSrike* *Swrort* *Rozena* *Backdoor.Cobalt*)
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+Signature IN ["*MeteTool*", "*MPreter*", "*Meterpreter*", "*Metasploit*", "*PowerSploit*", "*CobaltSrike*", "*Swrort*", "*Rozena*", "*Backdoor.Cobalt*"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*MeteTool.*|.*.*MPreter.*|.*.*Meterpreter.*|.*.*Metasploit.*|.*.*PowerSploit.*|.*.*CobaltSrike.*|.*.*Swrort.*|.*.*Rozena.*|.*.*Backdoor\\.Cobalt.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md b/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
index de10f65..2258ff3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/av_password_dumper.md
@@ -56,6 +56,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Password-Dumper-Detection <<EOF\n{\n  "metadata": {\n    "title": "Antivirus Password Dumper Detection",\n    "description": "Detects a highly relevant Antivirus alert that reports a password dumper",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Signature.keyword:(*DumpCreds* OR *Mimikatz* OR *PWCrack* OR HTool\\\\/WCE OR *PSWtool* OR *PWDump* OR *SecurityTool* OR *PShlSpy*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Antivirus Password Dumper Detection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n    User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Signature.keyword:(*DumpCreds* *Mimikatz* *PWCrack* HTool\\/WCE *PSWtool* *PWDump* *SecurityTool* *PShlSpy*)
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+Signature IN ["*DumpCreds*", "*Mimikatz*", "*PWCrack*", "HTool/WCE", "*PSWtool*", "*PWDump*", "*SecurityTool*", "*PShlSpy*"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*DumpCreds.*|.*.*Mimikatz.*|.*.*PWCrack.*|.*HTool/WCE|.*.*PSWtool.*|.*.*PWDump.*|.*.*SecurityTool.*|.*.*PShlSpy.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md b/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
index 4aef6cd..621d998 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/av_relevant_files.md
@@ -68,6 +68,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\Temp\\\\* OR *\\\\Client\\\\* OR C\\:\\\\PerfLogs\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.wsf OR *.wsh)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Relevant-File-Paths-Alerts <<EOF\n{\n  "metadata": {\n    "title": "Antivirus Relevant File Paths Alerts",\n    "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name",\n    "tags": "",\n    "query": "FileName.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\Client\\\\\\\\* OR C\\\\:\\\\\\\\PerfLogs\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.wsf OR *.wsh)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "FileName.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\Client\\\\\\\\* OR C\\\\:\\\\\\\\PerfLogs\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war OR *.hta OR *.lnk OR *.scf OR *.wsf OR *.wsh)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Antivirus Relevant File Paths Alerts\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nSignature = {{_source.Signature}}\\n     User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+FileName.keyword:(C\\:\\\\Windows\\\\Temp\\\\* C\\:\\\\Temp\\\\* *\\\\Client\\\\* C\\:\\\\PerfLogs\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\* *.ps1 *.vbs *.bat *.chm *.xml *.txt *.jsp *.jspx *.asp *.aspx *.php *.war *.hta *.lnk *.scf *.wsf *.wsh)
+```
+
+
 ### splunk
     
 ```
@@ -75,4 +96,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+FileName IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\Temp\\\\*", "*\\\\Client\\\\*", "C:\\\\PerfLogs\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*", "*.ps1", "*.vbs", "*.bat", "*.chm", "*.xml", "*.txt", "*.jsp", "*.jspx", "*.asp", "*.aspx", "*.php", "*.war", "*.hta", "*.lnk", "*.scf", "*.wsf", "*.wsh"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*C:\\Windows\\Temp\\\\.*|.*C:\\Temp\\\\.*|.*.*\\\\Client\\\\.*|.*C:\\PerfLogs\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*|.*.*\\.ps1|.*.*\\.vbs|.*.*\\.bat|.*.*\\.chm|.*.*\\.xml|.*.*\\.txt|.*.*\\.jsp|.*.*\\.jspx|.*.*\\.asp|.*.*\\.aspx|.*.*\\.php|.*.*\\.war|.*.*\\.hta|.*.*\\.lnk|.*.*\\.scf|.*.*\\.wsf|.*.*\\.wsh)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md b/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
index ab51185..c594595 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/av_webshell.md
@@ -55,6 +55,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+Signature.keyword:(PHP\\/Backdoor* OR JSP\\/Backdoor* OR ASP\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Antivirus-Web-Shell-Detection <<EOF\n{\n  "metadata": {\n    "title": "Antivirus Web Shell Detection",\n    "description": "Detects a highly relevant Antivirus alert that reports a web shell",\n    "tags": [\n      "attack.persistence",\n      "attack.t1100"\n    ],\n    "query": "Signature.keyword:(PHP\\\\/Backdoor* OR JSP\\\\/Backdoor* OR ASP\\\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Signature.keyword:(PHP\\\\/Backdoor* OR JSP\\\\/Backdoor* OR ASP\\\\/Backdoor* OR Backdoor.PHP* OR Backdoor.JSP* OR Backdoor.ASP* OR *Webshell*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Antivirus Web Shell Detection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nFileName = {{_source.FileName}}\\n    User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Signature.keyword:(PHP\\/Backdoor* JSP\\/Backdoor* ASP\\/Backdoor* Backdoor.PHP* Backdoor.JSP* Backdoor.ASP* *Webshell*)
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+Signature IN ["PHP/Backdoor*", "JSP/Backdoor*", "ASP/Backdoor*", "Backdoor.PHP*", "Backdoor.JSP*", "Backdoor.ASP*", "*Webshell*"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*PHP/Backdoor.*|.*JSP/Backdoor.*|.*ASP/Backdoor.*|.*Backdoor\\.PHP.*|.*Backdoor\\.JSP.*|.*Backdoor\\.ASP.*|.*.*Webshell.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
index 35ff472..326c015 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_data_compressed.md
@@ -53,6 +53,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+(EventID:"4104" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Data-Compressed <<EOF\n{\n  "metadata": {\n    "title": "Data Compressed",\n    "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",\n    "tags": [\n      "attack.exfiltration",\n      "attack.t1002"\n    ],\n    "query": "(EventID:\\"4104\\" AND keywords.keyword:*\\\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\\\-Archive*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4104\\" AND keywords.keyword:*\\\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\\\-Archive*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Data Compressed\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4104" AND keywords.keyword:*\\-Recurse* AND keywords.keyword:*|* AND keywords.keyword:*Compress\\-Archive*)
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="4104" keywords="*-Recurse*" keywords="*|*" keywords="*Compress-Archive*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4104)(?=.*.*-Recurse.*)(?=.*.*\\|.*)(?=.*.*Compress-Archive.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
index 970ce1d..ec5b24e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_downgrade_attack.md
@@ -50,6 +50,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((EventID:"400" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Downgrade-Attack <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Downgrade Attack",\n    "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "((EventID:\\"400\\" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"400\\" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Downgrade Attack\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"400" AND EngineVersion.keyword:2.*) AND (NOT (HostVersion.keyword:2.*)))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+((event_id="400" EngineVersion="2.*")  -(HostVersion="2.*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*400)(?=.*2\\..*)))(?=.*(?!.*(?:.*(?=.*2\\..*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
index e030687..c63a353 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_exe_calling_ps.md
@@ -52,6 +52,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"400" AND EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND HostVersion.keyword:3.*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-called-from-an-Executable-Version-Mismatch <<EOF\n{\n  "metadata": {\n    "title": "PowerShell called from an Executable Version Mismatch",\n    "description": "Detects PowerShell called from an executable by the version mismatch method",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(EventID:\\"400\\" AND EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND HostVersion.keyword:3.*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"400\\" AND EngineVersion.keyword:(2.* OR 4.* OR 5.*) AND HostVersion.keyword:3.*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell called from an Executable Version Mismatch\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"400" AND EngineVersion.keyword:(2.* 4.* 5.*) AND HostVersion.keyword:3.*)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="400" EngineVersion IN ["2.*", "4.*", "5.*"] HostVersion="3.*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*400)(?=.*(?:.*2\\..*|.*4\\..*|.*5\\..*))(?=.*3\\..*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
index 36d7416..1c37a9d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_commandlets.md
@@ -143,6 +143,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Message.keyword:(*Invoke\\-DllInjection* OR *Invoke\\-Shellcode* OR *Invoke\\-WmiCommand* OR *Get\\-GPPPassword* OR *Get\\-Keystrokes* OR *Get\\-TimedScreenshot* OR *Get\\-VaultCredential* OR *Invoke\\-CredentialInjection* OR *Invoke\\-Mimikatz* OR *Invoke\\-NinjaCopy* OR *Invoke\\-TokenManipulation* OR *Out\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\-ReflectivePEInjection* OR *Invoke\\-UserHunter* OR *Find\\-GPOLocation* OR *Invoke\\-ACLScanner* OR *Invoke\\-DowngradeAccount* OR *Get\\-ServiceUnquoted* OR *Get\\-ServiceFilePermission* OR *Get\\-ServicePermission* OR *Invoke\\-ServiceAbuse* OR *Install\\-ServiceBinary* OR *Get\\-RegAutoLogon* OR *Get\\-VulnAutoRun* OR *Get\\-VulnSchTask* OR *Get\\-UnattendedInstallFile* OR *Get\\-ApplicationHost* OR *Get\\-RegAlwaysInstallElevated* OR *Get\\-Unconstrained* OR *Add\\-RegBackdoor* OR *Add\\-ScrnSaveBackdoor* OR *Gupt\\-Backdoor* OR *Invoke\\-ADSBackdoor* OR *Enabled\\-DuplicateToken* OR *Invoke\\-PsUaCme* OR *Remove\\-Update* OR *Check\\-VM* OR *Get\\-LSASecret* OR *Get\\-PassHashes* OR *Show\\-TargetScreen* OR *Port\\-Scan* OR *Invoke\\-PoshRatHttp* OR *Invoke\\-PowerShellTCP* OR *Invoke\\-PowerShellWMI* OR *Add\\-Exfiltration* OR *Add\\-Persistence* OR *Do\\-Exfiltration* OR *Start\\-CaptureServer* OR *Get\\-ChromeDump* OR *Get\\-ClipboardContents* OR *Get\\-FoxDump* OR *Get\\-IndexedItem* OR *Get\\-Screenshot* OR *Invoke\\-Inveigh* OR *Invoke\\-NetRipper* OR *Invoke\\-EgressCheck* OR *Invoke\\-PostExfil* OR *Invoke\\-PSInject* OR *Invoke\\-RunAs* OR *MailRaider* OR *New\\-HoneyHash* OR *Set\\-MacAttribute* OR *Invoke\\-DCSync* OR *Invoke\\-PowerDump* OR *Exploit\\-Jboss* OR *Invoke\\-ThunderStruck* OR *Invoke\\-VoiceTroll* OR *Set\\-Wallpaper* OR *Invoke\\-InveighRelay* OR *Invoke\\-PsExec* OR *Invoke\\-SSHCommand* OR *Get\\-SecurityPackages* OR *Install\\-SSP* OR *Invoke\\-BackdoorLNK* OR *PowerBreach* OR *Get\\-SiteListPassword* OR *Get\\-System* OR *Invoke\\-BypassUAC* OR *Invoke\\-Tater* OR *Invoke\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\-RickAstley* OR *Find\\-Fruit* OR *HTTP\\-Login* OR *Find\\-TrustedDocuments* OR *Invoke\\-Paranoia* OR *Invoke\\-WinEnum* OR *Invoke\\-ARPScan* OR *Invoke\\-PortScan* OR *Invoke\\-ReverseDNSLookup* OR *Invoke\\-SMBScanner* OR *Invoke\\-Mimikittenz*) AND (NOT \\*.keyword:(*Get\\-SystemDriveInfo*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-PowerShell-Commandlets <<EOF\n{\n  "metadata": {\n    "title": "Malicious PowerShell Commandlets",\n    "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(Message.keyword:(*Invoke\\\\-DllInjection* OR *Invoke\\\\-Shellcode* OR *Invoke\\\\-WmiCommand* OR *Get\\\\-GPPPassword* OR *Get\\\\-Keystrokes* OR *Get\\\\-TimedScreenshot* OR *Get\\\\-VaultCredential* OR *Invoke\\\\-CredentialInjection* OR *Invoke\\\\-Mimikatz* OR *Invoke\\\\-NinjaCopy* OR *Invoke\\\\-TokenManipulation* OR *Out\\\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\\\-ReflectivePEInjection* OR *Invoke\\\\-UserHunter* OR *Find\\\\-GPOLocation* OR *Invoke\\\\-ACLScanner* OR *Invoke\\\\-DowngradeAccount* OR *Get\\\\-ServiceUnquoted* OR *Get\\\\-ServiceFilePermission* OR *Get\\\\-ServicePermission* OR *Invoke\\\\-ServiceAbuse* OR *Install\\\\-ServiceBinary* OR *Get\\\\-RegAutoLogon* OR *Get\\\\-VulnAutoRun* OR *Get\\\\-VulnSchTask* OR *Get\\\\-UnattendedInstallFile* OR *Get\\\\-ApplicationHost* OR *Get\\\\-RegAlwaysInstallElevated* OR *Get\\\\-Unconstrained* OR *Add\\\\-RegBackdoor* OR *Add\\\\-ScrnSaveBackdoor* OR *Gupt\\\\-Backdoor* OR *Invoke\\\\-ADSBackdoor* OR *Enabled\\\\-DuplicateToken* OR *Invoke\\\\-PsUaCme* OR *Remove\\\\-Update* OR *Check\\\\-VM* OR *Get\\\\-LSASecret* OR *Get\\\\-PassHashes* OR *Show\\\\-TargetScreen* OR *Port\\\\-Scan* OR *Invoke\\\\-PoshRatHttp* OR *Invoke\\\\-PowerShellTCP* OR *Invoke\\\\-PowerShellWMI* OR *Add\\\\-Exfiltration* OR *Add\\\\-Persistence* OR *Do\\\\-Exfiltration* OR *Start\\\\-CaptureServer* OR *Get\\\\-ChromeDump* OR *Get\\\\-ClipboardContents* OR *Get\\\\-FoxDump* OR *Get\\\\-IndexedItem* OR *Get\\\\-Screenshot* OR *Invoke\\\\-Inveigh* OR *Invoke\\\\-NetRipper* OR *Invoke\\\\-EgressCheck* OR *Invoke\\\\-PostExfil* OR *Invoke\\\\-PSInject* OR *Invoke\\\\-RunAs* OR *MailRaider* OR *New\\\\-HoneyHash* OR *Set\\\\-MacAttribute* OR *Invoke\\\\-DCSync* OR *Invoke\\\\-PowerDump* OR *Exploit\\\\-Jboss* OR *Invoke\\\\-ThunderStruck* OR *Invoke\\\\-VoiceTroll* OR *Set\\\\-Wallpaper* OR *Invoke\\\\-InveighRelay* OR *Invoke\\\\-PsExec* OR *Invoke\\\\-SSHCommand* OR *Get\\\\-SecurityPackages* OR *Install\\\\-SSP* OR *Invoke\\\\-BackdoorLNK* OR *PowerBreach* OR *Get\\\\-SiteListPassword* OR *Get\\\\-System* OR *Invoke\\\\-BypassUAC* OR *Invoke\\\\-Tater* OR *Invoke\\\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\\\-RickAstley* OR *Find\\\\-Fruit* OR *HTTP\\\\-Login* OR *Find\\\\-TrustedDocuments* OR *Invoke\\\\-Paranoia* OR *Invoke\\\\-WinEnum* OR *Invoke\\\\-ARPScan* OR *Invoke\\\\-PortScan* OR *Invoke\\\\-ReverseDNSLookup* OR *Invoke\\\\-SMBScanner* OR *Invoke\\\\-Mimikittenz*) AND (NOT \\\\*.keyword:(*Get\\\\-SystemDriveInfo*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Message.keyword:(*Invoke\\\\-DllInjection* OR *Invoke\\\\-Shellcode* OR *Invoke\\\\-WmiCommand* OR *Get\\\\-GPPPassword* OR *Get\\\\-Keystrokes* OR *Get\\\\-TimedScreenshot* OR *Get\\\\-VaultCredential* OR *Invoke\\\\-CredentialInjection* OR *Invoke\\\\-Mimikatz* OR *Invoke\\\\-NinjaCopy* OR *Invoke\\\\-TokenManipulation* OR *Out\\\\-Minidump* OR *VolumeShadowCopyTools* OR *Invoke\\\\-ReflectivePEInjection* OR *Invoke\\\\-UserHunter* OR *Find\\\\-GPOLocation* OR *Invoke\\\\-ACLScanner* OR *Invoke\\\\-DowngradeAccount* OR *Get\\\\-ServiceUnquoted* OR *Get\\\\-ServiceFilePermission* OR *Get\\\\-ServicePermission* OR *Invoke\\\\-ServiceAbuse* OR *Install\\\\-ServiceBinary* OR *Get\\\\-RegAutoLogon* OR *Get\\\\-VulnAutoRun* OR *Get\\\\-VulnSchTask* OR *Get\\\\-UnattendedInstallFile* OR *Get\\\\-ApplicationHost* OR *Get\\\\-RegAlwaysInstallElevated* OR *Get\\\\-Unconstrained* OR *Add\\\\-RegBackdoor* OR *Add\\\\-ScrnSaveBackdoor* OR *Gupt\\\\-Backdoor* OR *Invoke\\\\-ADSBackdoor* OR *Enabled\\\\-DuplicateToken* OR *Invoke\\\\-PsUaCme* OR *Remove\\\\-Update* OR *Check\\\\-VM* OR *Get\\\\-LSASecret* OR *Get\\\\-PassHashes* OR *Show\\\\-TargetScreen* OR *Port\\\\-Scan* OR *Invoke\\\\-PoshRatHttp* OR *Invoke\\\\-PowerShellTCP* OR *Invoke\\\\-PowerShellWMI* OR *Add\\\\-Exfiltration* OR *Add\\\\-Persistence* OR *Do\\\\-Exfiltration* OR *Start\\\\-CaptureServer* OR *Get\\\\-ChromeDump* OR *Get\\\\-ClipboardContents* OR *Get\\\\-FoxDump* OR *Get\\\\-IndexedItem* OR *Get\\\\-Screenshot* OR *Invoke\\\\-Inveigh* OR *Invoke\\\\-NetRipper* OR *Invoke\\\\-EgressCheck* OR *Invoke\\\\-PostExfil* OR *Invoke\\\\-PSInject* OR *Invoke\\\\-RunAs* OR *MailRaider* OR *New\\\\-HoneyHash* OR *Set\\\\-MacAttribute* OR *Invoke\\\\-DCSync* OR *Invoke\\\\-PowerDump* OR *Exploit\\\\-Jboss* OR *Invoke\\\\-ThunderStruck* OR *Invoke\\\\-VoiceTroll* OR *Set\\\\-Wallpaper* OR *Invoke\\\\-InveighRelay* OR *Invoke\\\\-PsExec* OR *Invoke\\\\-SSHCommand* OR *Get\\\\-SecurityPackages* OR *Install\\\\-SSP* OR *Invoke\\\\-BackdoorLNK* OR *PowerBreach* OR *Get\\\\-SiteListPassword* OR *Get\\\\-System* OR *Invoke\\\\-BypassUAC* OR *Invoke\\\\-Tater* OR *Invoke\\\\-WScriptBypassUAC* OR *PowerUp* OR *PowerView* OR *Get\\\\-RickAstley* OR *Find\\\\-Fruit* OR *HTTP\\\\-Login* OR *Find\\\\-TrustedDocuments* OR *Invoke\\\\-Paranoia* OR *Invoke\\\\-WinEnum* OR *Invoke\\\\-ARPScan* OR *Invoke\\\\-PortScan* OR *Invoke\\\\-ReverseDNSLookup* OR *Invoke\\\\-SMBScanner* OR *Invoke\\\\-Mimikittenz*) AND (NOT \\\\*.keyword:(*Get\\\\-SystemDriveInfo*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Malicious PowerShell Commandlets\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Message.keyword:(*Invoke\\-DllInjection* *Invoke\\-Shellcode* *Invoke\\-WmiCommand* *Get\\-GPPPassword* *Get\\-Keystrokes* *Get\\-TimedScreenshot* *Get\\-VaultCredential* *Invoke\\-CredentialInjection* *Invoke\\-Mimikatz* *Invoke\\-NinjaCopy* *Invoke\\-TokenManipulation* *Out\\-Minidump* *VolumeShadowCopyTools* *Invoke\\-ReflectivePEInjection* *Invoke\\-UserHunter* *Find\\-GPOLocation* *Invoke\\-ACLScanner* *Invoke\\-DowngradeAccount* *Get\\-ServiceUnquoted* *Get\\-ServiceFilePermission* *Get\\-ServicePermission* *Invoke\\-ServiceAbuse* *Install\\-ServiceBinary* *Get\\-RegAutoLogon* *Get\\-VulnAutoRun* *Get\\-VulnSchTask* *Get\\-UnattendedInstallFile* *Get\\-ApplicationHost* *Get\\-RegAlwaysInstallElevated* *Get\\-Unconstrained* *Add\\-RegBackdoor* *Add\\-ScrnSaveBackdoor* *Gupt\\-Backdoor* *Invoke\\-ADSBackdoor* *Enabled\\-DuplicateToken* *Invoke\\-PsUaCme* *Remove\\-Update* *Check\\-VM* *Get\\-LSASecret* *Get\\-PassHashes* *Show\\-TargetScreen* *Port\\-Scan* *Invoke\\-PoshRatHttp* *Invoke\\-PowerShellTCP* *Invoke\\-PowerShellWMI* *Add\\-Exfiltration* *Add\\-Persistence* *Do\\-Exfiltration* *Start\\-CaptureServer* *Get\\-ChromeDump* *Get\\-ClipboardContents* *Get\\-FoxDump* *Get\\-IndexedItem* *Get\\-Screenshot* *Invoke\\-Inveigh* *Invoke\\-NetRipper* *Invoke\\-EgressCheck* *Invoke\\-PostExfil* *Invoke\\-PSInject* *Invoke\\-RunAs* *MailRaider* *New\\-HoneyHash* *Set\\-MacAttribute* *Invoke\\-DCSync* *Invoke\\-PowerDump* *Exploit\\-Jboss* *Invoke\\-ThunderStruck* *Invoke\\-VoiceTroll* *Set\\-Wallpaper* *Invoke\\-InveighRelay* *Invoke\\-PsExec* *Invoke\\-SSHCommand* *Get\\-SecurityPackages* *Install\\-SSP* *Invoke\\-BackdoorLNK* *PowerBreach* *Get\\-SiteListPassword* *Get\\-System* *Invoke\\-BypassUAC* *Invoke\\-Tater* *Invoke\\-WScriptBypassUAC* *PowerUp* *PowerView* *Get\\-RickAstley* *Find\\-Fruit* *HTTP\\-Login* *Find\\-TrustedDocuments* *Invoke\\-Paranoia* *Invoke\\-WinEnum* *Invoke\\-ARPScan* *Invoke\\-PortScan* *Invoke\\-ReverseDNSLookup* *Invoke\\-SMBScanner* *Invoke\\-Mimikittenz*) AND (NOT \\*.keyword:(*Get\\-SystemDriveInfo*)))
+```
+
+
 ### splunk
     
 ```
@@ -150,4 +171,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(Message IN ["*Invoke-DllInjection*", "*Invoke-Shellcode*", "*Invoke-WmiCommand*", "*Get-GPPPassword*", "*Get-Keystrokes*", "*Get-TimedScreenshot*", "*Get-VaultCredential*", "*Invoke-CredentialInjection*", "*Invoke-Mimikatz*", "*Invoke-NinjaCopy*", "*Invoke-TokenManipulation*", "*Out-Minidump*", "*VolumeShadowCopyTools*", "*Invoke-ReflectivePEInjection*", "*Invoke-UserHunter*", "*Find-GPOLocation*", "*Invoke-ACLScanner*", "*Invoke-DowngradeAccount*", "*Get-ServiceUnquoted*", "*Get-ServiceFilePermission*", "*Get-ServicePermission*", "*Invoke-ServiceAbuse*", "*Install-ServiceBinary*", "*Get-RegAutoLogon*", "*Get-VulnAutoRun*", "*Get-VulnSchTask*", "*Get-UnattendedInstallFile*", "*Get-ApplicationHost*", "*Get-RegAlwaysInstallElevated*", "*Get-Unconstrained*", "*Add-RegBackdoor*", "*Add-ScrnSaveBackdoor*", "*Gupt-Backdoor*", "*Invoke-ADSBackdoor*", "*Enabled-DuplicateToken*", "*Invoke-PsUaCme*", "*Remove-Update*", "*Check-VM*", "*Get-LSASecret*", "*Get-PassHashes*", "*Show-TargetScreen*", "*Port-Scan*", "*Invoke-PoshRatHttp*", "*Invoke-PowerShellTCP*", "*Invoke-PowerShellWMI*", "*Add-Exfiltration*", "*Add-Persistence*", "*Do-Exfiltration*", "*Start-CaptureServer*", "*Get-ChromeDump*", "*Get-ClipboardContents*", "*Get-FoxDump*", "*Get-IndexedItem*", "*Get-Screenshot*", "*Invoke-Inveigh*", "*Invoke-NetRipper*", "*Invoke-EgressCheck*", "*Invoke-PostExfil*", "*Invoke-PSInject*", "*Invoke-RunAs*", "*MailRaider*", "*New-HoneyHash*", "*Set-MacAttribute*", "*Invoke-DCSync*", "*Invoke-PowerDump*", "*Exploit-Jboss*", "*Invoke-ThunderStruck*", "*Invoke-VoiceTroll*", "*Set-Wallpaper*", "*Invoke-InveighRelay*", "*Invoke-PsExec*", "*Invoke-SSHCommand*", "*Get-SecurityPackages*", "*Install-SSP*", "*Invoke-BackdoorLNK*", "*PowerBreach*", "*Get-SiteListPassword*", "*Get-System*", "*Invoke-BypassUAC*", "*Invoke-Tater*", "*Invoke-WScriptBypassUAC*", "*PowerUp*", "*PowerView*", "*Get-RickAstley*", "*Find-Fruit*", "*HTTP-Login*", "*Find-TrustedDocuments*", "*Invoke-Paranoia*", "*Invoke-WinEnum*", "*Invoke-ARPScan*", "*Invoke-PortScan*", "*Invoke-ReverseDNSLookup*", "*Invoke-SMBScanner*", "*Invoke-Mimikittenz*"]  -("Get-SystemDriveInfo"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*Invoke-DllInjection.*|.*.*Invoke-Shellcode.*|.*.*Invoke-WmiCommand.*|.*.*Get-GPPPassword.*|.*.*Get-Keystrokes.*|.*.*Get-TimedScreenshot.*|.*.*Get-VaultCredential.*|.*.*Invoke-CredentialInjection.*|.*.*Invoke-Mimikatz.*|.*.*Invoke-NinjaCopy.*|.*.*Invoke-TokenManipulation.*|.*.*Out-Minidump.*|.*.*VolumeShadowCopyTools.*|.*.*Invoke-ReflectivePEInjection.*|.*.*Invoke-UserHunter.*|.*.*Find-GPOLocation.*|.*.*Invoke-ACLScanner.*|.*.*Invoke-DowngradeAccount.*|.*.*Get-ServiceUnquoted.*|.*.*Get-ServiceFilePermission.*|.*.*Get-ServicePermission.*|.*.*Invoke-ServiceAbuse.*|.*.*Install-ServiceBinary.*|.*.*Get-RegAutoLogon.*|.*.*Get-VulnAutoRun.*|.*.*Get-VulnSchTask.*|.*.*Get-UnattendedInstallFile.*|.*.*Get-ApplicationHost.*|.*.*Get-RegAlwaysInstallElevated.*|.*.*Get-Unconstrained.*|.*.*Add-RegBackdoor.*|.*.*Add-ScrnSaveBackdoor.*|.*.*Gupt-Backdoor.*|.*.*Invoke-ADSBackdoor.*|.*.*Enabled-DuplicateToken.*|.*.*Invoke-PsUaCme.*|.*.*Remove-Update.*|.*.*Check-VM.*|.*.*Get-LSASecret.*|.*.*Get-PassHashes.*|.*.*Show-TargetScreen.*|.*.*Port-Scan.*|.*.*Invoke-PoshRatHttp.*|.*.*Invoke-PowerShellTCP.*|.*.*Invoke-PowerShellWMI.*|.*.*Add-Exfiltration.*|.*.*Add-Persistence.*|.*.*Do-Exfiltration.*|.*.*Start-CaptureServer.*|.*.*Get-ChromeDump.*|.*.*Get-ClipboardContents.*|.*.*Get-FoxDump.*|.*.*Get-IndexedItem.*|.*.*Get-Screenshot.*|.*.*Invoke-Inveigh.*|.*.*Invoke-NetRipper.*|.*.*Invoke-EgressCheck.*|.*.*Invoke-PostExfil.*|.*.*Invoke-PSInject.*|.*.*Invoke-RunAs.*|.*.*MailRaider.*|.*.*New-HoneyHash.*|.*.*Set-MacAttribute.*|.*.*Invoke-DCSync.*|.*.*Invoke-PowerDump.*|.*.*Exploit-Jboss.*|.*.*Invoke-ThunderStruck.*|.*.*Invoke-VoiceTroll.*|.*.*Set-Wallpaper.*|.*.*Invoke-InveighRelay.*|.*.*Invoke-PsExec.*|.*.*Invoke-SSHCommand.*|.*.*Get-SecurityPackages.*|.*.*Install-SSP.*|.*.*Invoke-BackdoorLNK.*|.*.*PowerBreach.*|.*.*Get-SiteListPassword.*|.*.*Get-System.*|.*.*Invoke-BypassUAC.*|.*.*Invoke-Tater.*|.*.*Invoke-WScriptBypassUAC.*|.*.*PowerUp.*|.*.*PowerView.*|.*.*Get-RickAstley.*|.*.*Find-Fruit.*|.*.*HTTP-Login.*|.*.*Find-TrustedDocuments.*|.*.*Invoke-Paranoia.*|.*.*Invoke-WinEnum.*|.*.*Invoke-ARPScan.*|.*.*Invoke-PortScan.*|.*.*Invoke-ReverseDNSLookup.*|.*.*Invoke-SMBScanner.*|.*.*Invoke-Mimikittenz.*))(?=.*(?!.*(?:.*(?:.*Get-SystemDriveInfo)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
index e3dc75f..398bd2c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_malicious_keywords.md
@@ -67,6 +67,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-PowerShell-Keywords <<EOF\n{\n  "metadata": {\n    "title": "Malicious PowerShell Keywords",\n    "description": "Detects keywords from well-known PowerShell exploitation frameworks",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Message.keyword:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *SE_PRIVILEGE_ENABLED* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Malicious PowerShell Keywords\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Message.keyword:(*AdjustTokenPrivileges* *IMAGE_NT_OPTIONAL_HDR64_MAGIC* *Microsoft.Win32.UnsafeNativeMethods* *ReadProcessMemory.Invoke* *SE_PRIVILEGE_ENABLED* *LSA_UNICODE_STRING* *MiniDumpWriteDump* *PAGE_EXECUTE_READ* *SECURITY_DELEGATION* *TOKEN_ADJUST_PRIVILEGES* *TOKEN_ALL_ACCESS* *TOKEN_ASSIGN_PRIMARY* *TOKEN_DUPLICATE* *TOKEN_ELEVATION* *TOKEN_IMPERSONATE* *TOKEN_INFORMATION_CLASS* *TOKEN_PRIVILEGES* *TOKEN_QUERY* *Metasploit* *Mimikatz*)
+```
+
+
 ### splunk
     
 ```
@@ -74,4 +95,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+Message IN ["*AdjustTokenPrivileges*", "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*", "*Microsoft.Win32.UnsafeNativeMethods*", "*ReadProcessMemory.Invoke*", "*SE_PRIVILEGE_ENABLED*", "*LSA_UNICODE_STRING*", "*MiniDumpWriteDump*", "*PAGE_EXECUTE_READ*", "*SECURITY_DELEGATION*", "*TOKEN_ADJUST_PRIVILEGES*", "*TOKEN_ALL_ACCESS*", "*TOKEN_ASSIGN_PRIMARY*", "*TOKEN_DUPLICATE*", "*TOKEN_ELEVATION*", "*TOKEN_IMPERSONATE*", "*TOKEN_INFORMATION_CLASS*", "*TOKEN_PRIVILEGES*", "*TOKEN_QUERY*", "*Metasploit*", "*Mimikatz*"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*AdjustTokenPrivileges.*|.*.*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*|.*.*Microsoft\\.Win32\\.UnsafeNativeMethods.*|.*.*ReadProcessMemory\\.Invoke.*|.*.*SE_PRIVILEGE_ENABLED.*|.*.*LSA_UNICODE_STRING.*|.*.*MiniDumpWriteDump.*|.*.*PAGE_EXECUTE_READ.*|.*.*SECURITY_DELEGATION.*|.*.*TOKEN_ADJUST_PRIVILEGES.*|.*.*TOKEN_ALL_ACCESS.*|.*.*TOKEN_ASSIGN_PRIMARY.*|.*.*TOKEN_DUPLICATE.*|.*.*TOKEN_ELEVATION.*|.*.*TOKEN_IMPERSONATE.*|.*.*TOKEN_INFORMATION_CLASS.*|.*.*TOKEN_PRIVILEGES.*|.*.*TOKEN_QUERY.*|.*.*Metasploit.*|.*.*Mimikatz.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
index 4ba8c82..b71194d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_ntfs_ads_access.md
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+\\*.keyword:(*set\\-content* AND *\\-stream*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/NTFS-Alternate-Data-Stream <<EOF\n{\n  "metadata": {\n    "title": "NTFS Alternate Data Stream",\n    "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1096"\n    ],\n    "query": "\\\\*.keyword:(*set\\\\-content* AND *\\\\-stream*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "\\\\*.keyword:(*set\\\\-content* AND *\\\\-stream*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'NTFS Alternate Data Stream\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+\\*.keyword:(*set\\-content* AND *\\-stream*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+("set-content" "-stream")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*set-content)(?=.*-stream))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
index b74b005..d9bea24 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_prompt_credentials.md
@@ -51,6 +51,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4104" AND Message.keyword:(*PromptForCredential*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Credential-Prompt <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Credential Prompt",\n    "description": "Detects PowerShell calling a credential prompt",\n    "tags": [\n      "attack.execution",\n      "attack.credential_access",\n      "attack.t1086"\n    ],\n    "query": "(EventID:\\"4104\\" AND Message.keyword:(*PromptForCredential*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4104\\" AND Message.keyword:(*PromptForCredential*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Credential Prompt\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4104" AND Message.keyword:(*PromptForCredential*))
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="4104" Message IN ["*PromptForCredential*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4104)(?=.*(?:.*.*PromptForCredential.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
index 64d72c3..e46dab8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_psattack.md
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4103" AND "PS\\ ATTACK\\!\\!\\!")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-PSAttack <<EOF\n{\n  "metadata": {\n    "title": "PowerShell PSAttack",\n    "description": "Detects the use of PSAttack PowerShell hack tool",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(EventID:\\"4103\\" AND \\"PS\\\\ ATTACK\\\\!\\\\!\\\\!\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4103\\" AND \\"PS\\\\ ATTACK\\\\!\\\\!\\\\!\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell PSAttack\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4103" AND "PS ATTACK\\!\\!\\!")
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="4103" "PS ATTACK!!!")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4103)(?=.*PS ATTACK!!!))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
index 3be923f..9a94a62 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_shellcode_b64.md
@@ -54,6 +54,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+((EventID:"4104" AND "*AAAAYInlM*") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-ShellCode <<EOF\n{\n  "metadata": {\n    "title": "PowerShell ShellCode",\n    "description": "Detects Base64 encoded Shellcode",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.execution",\n      "attack.t1055",\n      "attack.t1086"\n    ],\n    "query": "((EventID:\\"4104\\" AND \\"*AAAAYInlM*\\") AND \\\\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"4104\\" AND \\"*AAAAYInlM*\\") AND \\\\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell ShellCode\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"4104" AND "*AAAAYInlM*") AND \\*.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+((event_id="4104" "*AAAAYInlM*") ("*OiCAAAAYInlM*" OR "*OiJAAAAYInlM*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*4104)(?=.*.*AAAAYInlM.*)))(?=.*(?:.*(?:.*.*OiCAAAAYInlM.*|.*.*OiJAAAAYInlM.*))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
index 0edf3d0..a73c1be 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
@@ -45,6 +45,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* OR *system.net.webclient\\).downloadfile\\(*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Download <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PowerShell Download",\n    "description": "Detects suspicious PowerShell download command",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "Message.keyword:(*System.Net.WebClient\\\\).DownloadString\\\\(* OR *system.net.webclient\\\\).downloadfile\\\\(*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Message.keyword:(*System.Net.WebClient\\\\).DownloadString\\\\(* OR *system.net.webclient\\\\).downloadfile\\\\(*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PowerShell Download\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* *system.net.webclient\\).downloadfile\\(*)
+```
+
+
 ### splunk
     
 ```
@@ -52,4 +73,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+Message IN ["*System.Net.WebClient).DownloadString(*", "*system.net.webclient).downloadfile(*"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*System\\.Net\\.WebClient\\)\\.DownloadString\\(.*|.*.*system\\.net\\.webclient\\)\\.downloadfile\\(.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
index 19f910d..bbdadb2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
@@ -53,6 +53,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-\\ windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Invocations---Generic <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PowerShell Invocations - Generic",\n    "description": "Detects suspicious PowerShell invocation command parameters",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Generic\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(\\*.keyword:(* \\-enc * OR * \\-EncodedCommand *) AND \\*.keyword:(* \\-w hidden * OR * \\-window hidden * OR * \\- windowstyle hidden *) AND \\*.keyword:(* \\-noni * OR * \\-noninteractive *))
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " - windowstyle hidden ") (" -noni " OR " -noninteractive "))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.* -enc |.* -EncodedCommand )))(?=.*(?:.*(?:.* -w hidden |.* -window hidden |.* - windowstyle hidden )))(?=.*(?:.*(?:.* -noni |.* -noninteractive ))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
index a0e912d..94ef3e3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_specific.md
@@ -49,6 +49,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Message.keyword:(*\\ \\-nop\\ \\-w\\ hidden\\ \\-c\\ *\\ \\[Convert\\]\\:\\:FromBase64String* OR *\\ \\-w\\ hidden\\ \\-noni\\ \\-nop\\ \\-c\\ \\"iex\\(New\\-Object* OR *\\ \\-w\\ hidden\\ \\-ep\\ bypass\\ \\-Enc* OR *powershell.exe\\ reg\\ add\\ HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* OR *bypass\\ \\-noprofile\\ \\-windowstyle\\ hidden\\ \\(new\\-object\\ system.net.webclient\\).download* OR *iex\\(New\\-Object\\ Net.WebClient\\).Download*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Invocations---Specific <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PowerShell Invocations - Specific",\n    "description": "Detects suspicious PowerShell invocation command parameters",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "Message.keyword:(*\\\\ \\\\-nop\\\\ \\\\-w\\\\ hidden\\\\ \\\\-c\\\\ *\\\\ \\\\[Convert\\\\]\\\\:\\\\:FromBase64String* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-noni\\\\ \\\\-nop\\\\ \\\\-c\\\\ \\\\\\"iex\\\\(New\\\\-Object* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-ep\\\\ bypass\\\\ \\\\-Enc* OR *powershell.exe\\\\ reg\\\\ add\\\\ HKCU\\\\\\\\software\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\currentversion\\\\\\\\run* OR *bypass\\\\ \\\\-noprofile\\\\ \\\\-windowstyle\\\\ hidden\\\\ \\\\(new\\\\-object\\\\ system.net.webclient\\\\).download* OR *iex\\\\(New\\\\-Object\\\\ Net.WebClient\\\\).Download*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Message.keyword:(*\\\\ \\\\-nop\\\\ \\\\-w\\\\ hidden\\\\ \\\\-c\\\\ *\\\\ \\\\[Convert\\\\]\\\\:\\\\:FromBase64String* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-noni\\\\ \\\\-nop\\\\ \\\\-c\\\\ \\\\\\"iex\\\\(New\\\\-Object* OR *\\\\ \\\\-w\\\\ hidden\\\\ \\\\-ep\\\\ bypass\\\\ \\\\-Enc* OR *powershell.exe\\\\ reg\\\\ add\\\\ HKCU\\\\\\\\software\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\currentversion\\\\\\\\run* OR *bypass\\\\ \\\\-noprofile\\\\ \\\\-windowstyle\\\\ hidden\\\\ \\\\(new\\\\-object\\\\ system.net.webclient\\\\).download* OR *iex\\\\(New\\\\-Object\\\\ Net.WebClient\\\\).Download*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Specific\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Message.keyword:(* \\-nop \\-w hidden \\-c * \\[Convert\\]\\:\\:FromBase64String* * \\-w hidden \\-noni \\-nop \\-c \\"iex\\(New\\-Object* * \\-w hidden \\-ep bypass \\-Enc* *powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run* *bypass \\-noprofile \\-windowstyle hidden \\(new\\-object system.net.webclient\\).download* *iex\\(New\\-Object Net.WebClient\\).Download*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+Message IN ["* -nop -w hidden -c * [Convert]::FromBase64String*", "* -w hidden -noni -nop -c \\"iex(New-Object*", "* -w hidden -ep bypass -Enc*", "*powershell.exe reg add HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run*", "*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*", "*iex(New-Object Net.WebClient).Download*"]
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*.* -nop -w hidden -c .* \\[Convert\\]::FromBase64String.*|.*.* -w hidden -noni -nop -c "iex\\(New-Object.*|.*.* -w hidden -ep bypass -Enc.*|.*.*powershell\\.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run.*|.*.*bypass -noprofile -windowstyle hidden \\(new-object system\\.net\\.webclient\\)\\.download.*|.*.*iex\\(New-Object Net\\.WebClient\\)\\.Download.*)\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
index a8b4215..7dc8b6a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_keywords.md
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Message.keyword:(*\\[System.Reflection.Assembly\\]\\:\\:Load*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Keywords <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PowerShell Keywords",\n    "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "Message.keyword:(*\\\\[System.Reflection.Assembly\\\\]\\\\:\\\\:Load*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Message.keyword:(*\\\\[System.Reflection.Assembly\\\\]\\\\:\\\\:Load*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PowerShell Keywords\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Message.keyword:(*\\[System.Reflection.Assembly\\]\\:\\:Load*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+Message IN ["*[System.Reflection.Assembly]::Load*"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\[System\\.Reflection\\.Assembly\\]::Load.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md b/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
index 0bcbdcb..56f40af 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/powershell_winlogon_helper_dll.md
@@ -56,6 +56,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+(EventID:"4104" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND "*CurrentVersion\\\\Winlogon*")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Winlogon-Helper-DLL <<EOF\n{\n  "metadata": {\n    "title": "Winlogon Helper DLL",\n    "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\\\Software[Wow6432Node]Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\ and HKCU\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.",\n    "tags": [\n      "attack.persistence",\n      "attack.t1004"\n    ],\n    "query": "(EventID:\\"4104\\" AND \\\\*.keyword:(*Set\\\\-ItemProperty* OR *New\\\\-Item*) AND \\"*CurrentVersion\\\\\\\\Winlogon*\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4104\\" AND \\\\*.keyword:(*Set\\\\-ItemProperty* OR *New\\\\-Item*) AND \\"*CurrentVersion\\\\\\\\Winlogon*\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Winlogon Helper DLL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4104" AND \\*.keyword:(*Set\\-ItemProperty* OR *New\\-Item*) AND "*CurrentVersion\\\\Winlogon*")
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="4104" ("*Set-ItemProperty*" OR "*New-Item*") "*CurrentVersion\\\\Winlogon*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4104)(?=.*(?:.*(?:.*.*Set-ItemProperty.*|.*.*New-Item.*)))(?=.*.*CurrentVersion\\Winlogon.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
index 17f57cd..e5d0e2c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ads_executable.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://twitter.com/0xrawsec/status/1002478725605273600?s=21](https://twitter.com/0xrawsec/status/1002478725605273600?s=21)</li></ul>  |
 | Author               | Florian Roth, @0xrawsec |
-| Other Tags           | <ul><li>attack.s0139</li><li>attack.s0139</li></ul> | 
+| Other Tags           | <ul><li>attack.s0139</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: Executable in ADS
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
 status: experimental
 description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
 references:
@@ -70,7 +71,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"15" AND NOT (Imphash:"00000000000000000000000000000000"))
+(EventID:"15" AND (NOT (Imphash:"00000000000000000000000000000000")))
 ```
 
 
@@ -84,7 +85,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="15"  -(Imphash="00000000000000000000000000000000"))
+(event_id="15"  -(Imphash="00000000000000000000000000000000"))
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
index b589fc6..ef3baef 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cactustorch.md
@@ -19,12 +19,13 @@
 
 ```
 title: CACTUSTORCH Remote Thread Creation
+id: 2e4e488a-6164-4811-9ea1-f960c7359c40
 description: Detects remote thread creation from CACTUSTORCH as described in references.
 references:
     - https://twitter.com/SBousseaden/status/1090588499517079552
     - https://github.com/mdsecactivebreach/CACTUSTORCH
 status: experimental
-author: "@SBousseaden (detection), Thomas Patzke (rule)"
+author: '@SBousseaden (detection), Thomas Patzke (rule)'
 logsource:
     product: windows
     service: sysmon
@@ -71,7 +72,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"8" AND SourceImage:("*\\\\System32\\\\cscript.exe" "*\\\\System32\\\\wscript.exe" "*\\\\System32\\\\mshta.exe" "*\\\\winword.exe" "*\\\\excel.exe") AND TargetImage:"*\\\\SysWOW64\\\\*" AND NOT _exists_:StartModule)
+(EventID:"8" AND SourceImage.keyword:(*\\\\System32\\\\cscript.exe *\\\\System32\\\\wscript.exe *\\\\System32\\\\mshta.exe *\\\\winword.exe *\\\\excel.exe) AND TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:StartModule)
 ```
 
 
@@ -85,7 +86,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="8" SourceImage IN ["*\\\\System32\\\\cscript.exe", "*\\\\System32\\\\wscript.exe", "*\\\\System32\\\\mshta.exe", "*\\\\winword.exe", "*\\\\excel.exe"] TargetImage="*\\\\SysWOW64\\\\*" -StartModule=*)
+(event_id="8" SourceImage IN ["*\\\\System32\\\\cscript.exe", "*\\\\System32\\\\wscript.exe", "*\\\\System32\\\\mshta.exe", "*\\\\winword.exe", "*\\\\excel.exe"] TargetImage="*\\\\SysWOW64\\\\*" -StartModule=*)
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
index a03688f..636845e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cmstp_execution.md
@@ -3,7 +3,7 @@
 | Description          | Detects various indicators of Microsoft Connection Manager Profile Installer execution                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1191: CMSTP](https://attack.mitre.org/techniques/T1191)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1191: CMSTP](../Triggers/T1191.md)</li></ul>  |
 | Severity Level       | high |
@@ -11,16 +11,16 @@
 | Development Status   | stable |
 | References           | <ul><li>[http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/](http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/)</li></ul>  |
 | Author               | Nik Seetharaman |
-| Other Tags           | <ul><li>attack.g0069</li><li>attack.g0069</li><li>car.2019-04-001</li><li>car.2019-04-001</li></ul> | 
+| Other Tags           | <ul><li>attack.g0069</li><li>car.2019-04-001</li></ul> | 
 
 ## Detection Rules
 
 ### Sigma rule
 
 ```
----
 action: global
 title: CMSTP Execution
+id: 9d26fede-b526-4413-b069-6e24b6d07167
 status: stable
 description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
 tags:
@@ -89,7 +89,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-((EventID:"12" AND TargetObject:"*\\\\cmmgr32.exe*") OR (EventID:"13" AND TargetObject:"*\\\\cmmgr32.exe*") OR (EventID:"10" AND CallTrace:"*cmlua.dll*"))\nParentImage:"*\\\\cmstp.exe"
+((EventID:"12" AND TargetObject.keyword:*\\\\cmmgr32.exe*) OR (EventID:"13" AND TargetObject.keyword:*\\\\cmmgr32.exe*) OR (EventID:"10" AND CallTrace.keyword:*cmlua.dll*))\nParentImage.keyword:*\\\\cmstp.exe
 ```
 
 
@@ -103,7 +103,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-((EventID="12" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="13" TargetObject="*\\\\cmmgr32.exe*") OR (EventID="10" CallTrace="*cmlua.dll*"))\nParentImage="*\\\\cmstp.exe"
+((event_id="12" TargetObject="*\\\\cmmgr32.exe*") OR (event_id="13" TargetObject="*\\\\cmmgr32.exe*") OR (event_id="10" CallTrace="*cmlua.dll*"))\n(event_id="1" ParentImage="*\\\\cmstp.exe")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
index 915fcf6..8f62439 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_cobaltstrike_process_injection.md
@@ -9,8 +9,8 @@
 | Severity Level       | high |
 | False Positives      | <ul><li>unknown</li></ul>  |
 | Development Status   | experimental |
-| References           | <ul><li>[https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)</li></ul>  |
-| Author               | Olaf Hartong, Florian Roth |
+| References           | <ul><li>[https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f](https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f)</li><li>[https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/](https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/)</li></ul>  |
+| Author               | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
 
 
 ## Detection Rules
@@ -18,22 +18,29 @@
 ### Sigma rule
 
 ```
-title: CobaltStrike Process Injection 
-description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
+title: CobaltStrike Process Injection
+id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
+description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
 references:
     - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 tags:
     - attack.defense_evasion
     - attack.t1055
 status: experimental
-author: Olaf Hartong, Florian Roth
+author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
+date: 2018/11/30
+modified: 2019/11/08
 logsource:
     product: windows
     service: sysmon
 detection:
     selection:
         EventID: 8
-        TargetProcessAddress: '*0B80'
+        TargetProcessAddress|endswith: 
+            - '0B80'
+            - '0C7C'
+            - '0C88'
     condition: selection
 falsepositives:
     - unknown
@@ -49,42 +56,42 @@ level: high
 ### es-qs
     
 ```
-(EventID:"8" AND TargetProcessAddress.keyword:*0B80)
+(EventID:"8" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/CobaltStrike-Process-Injection <<EOF\n{\n  "metadata": {\n    "title": "CobaltStrike Process Injection",\n    "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1055"\n    ],\n    "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:*0B80)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:*0B80)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'CobaltStrike Process Injection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/CobaltStrike-Process-Injection <<EOF\n{\n  "metadata": {\n    "title": "CobaltStrike Process Injection",\n    "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1055"\n    ],\n    "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"8\\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'CobaltStrike Process Injection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-(EventID:"8" AND TargetProcessAddress:"*0B80")
+(EventID:"8" AND TargetProcessAddress.keyword:(*0B80 *0C7C *0C88))
 ```
 
 
 ### splunk
     
 ```
-(EventID="8" TargetProcessAddress="*0B80")
+(EventID="8" (TargetProcessAddress="*0B80" OR TargetProcessAddress="*0C7C" OR TargetProcessAddress="*0C88"))
 ```
 
 
 ### logpoint
     
 ```
-(EventID="8" TargetProcessAddress="*0B80")
+(event_id="8" TargetProcessAddress IN ["*0B80", "*0C7C", "*0C88"])
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*8)(?=.*.*0B80))'
+grep -P '^(?:.*(?=.*8)(?=.*(?:.*.*0B80|.*.*0C7C|.*.*0C88)))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md
index c95b757..40f4e05 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_dhcp_calloutdll.md
@@ -19,8 +19,10 @@
 
 ```
 title: DHCP Callout DLL installation
+id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
 status: experimental
-description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
+description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the
+    DHCP server (restart required)
 references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
@@ -68,7 +70,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:("*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls" "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"))
+(EventID:"13" AND TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))
 ```
 
 
@@ -82,7 +84,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject IN ["*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls", "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"])
+(event_id="13" TargetObject IN ["*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls", "*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md
index 7968d79..262a66a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_dns_serverlevelplugindll.md
@@ -18,11 +18,12 @@
 ### Sigma rule
 
 ```
----
 action: global
 title: DNS ServerLevelPluginDll Install
+id: e61e8a88-59a9-451c-874e-70fcc9740d67
 status: experimental
-description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
+    (restart required)
 references:
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
 date: 2017/05/08
@@ -80,7 +81,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:"*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\nCommandLine:"dnscmd.exe \\/config \\/serverlevelplugindll *"
+(EventID:"13" AND TargetObject.keyword:*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll)\nCommandLine.keyword:dnscmd.exe \\/config \\/serverlevelplugindll *
 ```
 
 
@@ -94,7 +95,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject="*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\nCommandLine="dnscmd.exe /config /serverlevelplugindll *"
+(event_id="13" TargetObject="*\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll")\n(event_id="1" CommandLine="dnscmd.exe /config /serverlevelplugindll *")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md
index b51c80d..cde2011 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ghostpack_safetykatz.md
@@ -19,6 +19,7 @@
 
 ```
 title: Detection of SafetyKatz
+id: e074832a-eada-4fd7-94a1-10642b130e16
 status: experimental
 description: Detects possible SafetyKatz Behaviour
 references:
@@ -63,7 +64,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"11" AND TargetFilename:"*\\\\Temp\\\\debug.bin")
+(EventID:"11" AND TargetFilename.keyword:*\\\\Temp\\\\debug.bin)
 ```
 
 
@@ -77,7 +78,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="11" TargetFilename="*\\\\Temp\\\\debug.bin")
+(event_id="11" TargetFilename="*\\\\Temp\\\\debug.bin")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md
index e22c1a7..935bad2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_logon_scripts_userinitmprlogonscript.md
@@ -3,7 +3,7 @@
 | Description          | Detects creation or execution of UserInitMprLogonScript persistence method                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1037: Logon Scripts](https://attack.mitre.org/techniques/T1037)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1037: Logon Scripts](../Triggers/T1037.md)</li></ul>  |
 | Severity Level       | high |
@@ -18,7 +18,9 @@
 ### Sigma rule
 
 ```
+action: global
 title: Logon Scripts (UserInitMprLogonScript)
+id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
 status: experimental
 description: Detects creation or execution of UserInitMprLogonScript persistence method
 references:
@@ -28,30 +30,45 @@ tags:
     - attack.persistence
     - attack.lateral_movement
 author: Tom Ueltschi (@c_APT_ure)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    exec_selection:
-        EventID: 1 # Migration to process_creation requires multipart YAML
-        ParentImage: '*\userinit.exe'
-    exec_exclusion:
-        Image: '*\explorer.exe'
-        CommandLine: '*\netlogon.bat'
-    create_selection:
-        EventID:
-            - 1
-            - 11
-            - 12
-            - 13
-            - 14
-    create_keywords:
-        - UserInitMprLogonScript
-    condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords)
 falsepositives:
     - exclude legitimate logon scripts
     - penetration tests, red teaming
 level: high
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    exec_selection:
+        ParentImage: '*\userinit.exe'
+    exec_exclusion1:
+        Image: '*\explorer.exe'
+    exec_exclusion2:
+        CommandLine: '*\netlogon.bat'
+    condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    create_keywords_cli:
+        CommandLine: '*UserInitMprLogonScript*'
+    condition: create_keywords_cli
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    create_selection_reg:
+        EventID:
+            - 11
+            - 12
+            - 13
+            - 14
+    create_keywords_reg:
+        TargetObject: '*UserInitMprLogonScript*'
+    condition: create_selection_reg and create_keywords_reg
+
 ```
 
 
@@ -61,42 +78,42 @@ level: high
 ### es-qs
     
 ```
-(((EventID:"1" AND ParentImage.keyword:*\\\\userinit.exe) AND (NOT (Image.keyword:*\\\\explorer.exe AND CommandLine.keyword:*\\\\netlogon.bat))) OR (EventID:("1" OR "11" OR "12" OR "13" OR "14") AND "UserInitMprLogonScript"))
+((ParentImage.keyword:*\\\\userinit.exe AND (NOT (Image.keyword:*\\\\explorer.exe))) AND (NOT (CommandLine.keyword:*\\\\netlogon.bat)))\nCommandLine.keyword:*UserInitMprLogonScript*\n(EventID:("11" OR "12" OR "13" OR "14") AND TargetObject.keyword:*UserInitMprLogonScript*)
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Logon-Scripts-UserInitMprLogonScript <<EOF\n{\n  "metadata": {\n    "title": "Logon Scripts (UserInitMprLogonScript)",\n    "description": "Detects creation or execution of UserInitMprLogonScript persistence method",\n    "tags": [\n      "attack.t1037",\n      "attack.persistence",\n      "attack.lateral_movement"\n    ],\n    "query": "(((EventID:\\"1\\" AND ParentImage.keyword:*\\\\\\\\userinit.exe) AND (NOT (Image.keyword:*\\\\\\\\explorer.exe AND CommandLine.keyword:*\\\\\\\\netlogon.bat))) OR (EventID:(\\"1\\" OR \\"11\\" OR \\"12\\" OR \\"13\\" OR \\"14\\") AND \\"UserInitMprLogonScript\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(((EventID:\\"1\\" AND ParentImage.keyword:*\\\\\\\\userinit.exe) AND (NOT (Image.keyword:*\\\\\\\\explorer.exe AND CommandLine.keyword:*\\\\\\\\netlogon.bat))) OR (EventID:(\\"1\\" OR \\"11\\" OR \\"12\\" OR \\"13\\" OR \\"14\\") AND \\"UserInitMprLogonScript\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Logon Scripts (UserInitMprLogonScript)\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Logon-Scripts-UserInitMprLogonScript <<EOF\n{\n  "metadata": {\n    "title": "Logon Scripts (UserInitMprLogonScript)",\n    "description": "Detects creation or execution of UserInitMprLogonScript persistence method",\n    "tags": [\n      "attack.t1037",\n      "attack.persistence",\n      "attack.lateral_movement"\n    ],\n    "query": "((ParentImage.keyword:*\\\\\\\\userinit.exe AND (NOT (Image.keyword:*\\\\\\\\explorer.exe))) AND (NOT (CommandLine.keyword:*\\\\\\\\netlogon.bat)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:*\\\\\\\\userinit.exe AND (NOT (Image.keyword:*\\\\\\\\explorer.exe))) AND (NOT (CommandLine.keyword:*\\\\\\\\netlogon.bat)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Logon Scripts (UserInitMprLogonScript)\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Logon-Scripts-UserInitMprLogonScript-2 <<EOF\n{\n  "metadata": {\n    "title": "Logon Scripts (UserInitMprLogonScript)",\n    "description": "Detects creation or execution of UserInitMprLogonScript persistence method",\n    "tags": [\n      "attack.t1037",\n      "attack.persistence",\n      "attack.lateral_movement"\n    ],\n    "query": "CommandLine.keyword:*UserInitMprLogonScript*"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*UserInitMprLogonScript*",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Logon Scripts (UserInitMprLogonScript)\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Logon-Scripts-UserInitMprLogonScript-3 <<EOF\n{\n  "metadata": {\n    "title": "Logon Scripts (UserInitMprLogonScript)",\n    "description": "Detects creation or execution of UserInitMprLogonScript persistence method",\n    "tags": [\n      "attack.t1037",\n      "attack.persistence",\n      "attack.lateral_movement"\n    ],\n    "query": "(EventID:(\\"11\\" OR \\"12\\" OR \\"13\\" OR \\"14\\") AND TargetObject.keyword:*UserInitMprLogonScript*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"11\\" OR \\"12\\" OR \\"13\\" OR \\"14\\") AND TargetObject.keyword:*UserInitMprLogonScript*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Logon Scripts (UserInitMprLogonScript)\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-(((EventID:"1" AND ParentImage:"*\\\\userinit.exe") AND NOT (Image:"*\\\\explorer.exe" AND CommandLine:"*\\\\netlogon.bat")) OR (EventID:("1" "11" "12" "13" "14") AND "UserInitMprLogonScript"))
+((ParentImage.keyword:*\\\\userinit.exe AND (NOT (Image.keyword:*\\\\explorer.exe))) AND (NOT (CommandLine.keyword:*\\\\netlogon.bat)))\nCommandLine.keyword:*UserInitMprLogonScript*\n(EventID:("11" "12" "13" "14") AND TargetObject.keyword:*UserInitMprLogonScript*)
 ```
 
 
 ### splunk
     
 ```
-(((EventID="1" ParentImage="*\\\\userinit.exe") NOT (Image="*\\\\explorer.exe" CommandLine="*\\\\netlogon.bat")) OR ((EventID="1" OR EventID="11" OR EventID="12" OR EventID="13" OR EventID="14") "UserInitMprLogonScript"))
+((ParentImage="*\\\\userinit.exe" NOT (Image="*\\\\explorer.exe")) NOT (CommandLine="*\\\\netlogon.bat"))\nCommandLine="*UserInitMprLogonScript*"\n((EventID="11" OR EventID="12" OR EventID="13" OR EventID="14") TargetObject="*UserInitMprLogonScript*")
 ```
 
 
 ### logpoint
     
 ```
-(((EventID="1" ParentImage="*\\\\userinit.exe")  -(Image="*\\\\explorer.exe" CommandLine="*\\\\netlogon.bat")) OR (EventID IN ["1", "11", "12", "13", "14"] "UserInitMprLogonScript"))
+(event_id="1" (ParentImage="*\\\\userinit.exe"  -(Image="*\\\\explorer.exe"))  -(CommandLine="*\\\\netlogon.bat"))\n(event_id="1" CommandLine="*UserInitMprLogonScript*")\n(event_id IN ["11", "12", "13", "14"] TargetObject="*UserInitMprLogonScript*")
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*(?=.*1)(?=.*.*\\userinit\\.exe)))(?=.*(?!.*(?:.*(?=.*.*\\explorer\\.exe)(?=.*.*\\netlogon\\.bat)))))|.*(?:.*(?=.*(?:.*1|.*11|.*12|.*13|.*14))(?=.*UserInitMprLogonScript))))'
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\userinit\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\explorer\\.exe))))))(?=.*(?!.*(?:.*(?=.*.*\\netlogon\\.bat)))))'\ngrep -P '^.*UserInitMprLogonScript.*'\ngrep -P '^(?:.*(?=.*(?:.*11|.*12|.*13|.*14))(?=.*.*UserInitMprLogonScript.*))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md
index e421e6c..c154f0a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_lsass_memdump.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html)</li></ul>  |
 | Author               | Samir Bousseaden |
-| Other Tags           | <ul><li>attack.s0002</li><li>attack.s0002</li></ul> | 
+| Other Tags           | <ul><li>attack.s0002</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: LSASS Memory Dump
+id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
 status: experimental
 description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
 author: Samir Bousseaden
@@ -67,7 +68,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"10" AND TargetImage:"C\\:\\\\windows\\\\system32\\\\lsass.exe" AND GrantedAccess:"0x1fffff" AND CallTrace:("*dbghelp.dll*" "*dbgcore.dll*"))
+(EventID:"10" AND TargetImage:"C\\:\\\\windows\\\\system32\\\\lsass.exe" AND GrantedAccess:"0x1fffff" AND CallTrace.keyword:(*dbghelp.dll* *dbgcore.dll*))
 ```
 
 
@@ -81,7 +82,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess="0x1fffff" CallTrace IN ["*dbghelp.dll*", "*dbgcore.dll*"])
+(event_id="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess="0x1fffff" CallTrace IN ["*dbghelp.dll*", "*dbgcore.dll*"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
index a03c132..4310b04 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mal_namedpipes.md
@@ -3,7 +3,7 @@
 | Description          | Detects the creation of a named pipe used by known APT malware                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
 | Severity Level       | critical |
@@ -19,6 +19,7 @@
 
 ```
 title: Malicious Named Pipe
+id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
 status: experimental
 description: Detects the creation of a named pipe used by known APT malware
 references:
@@ -82,7 +83,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:("17" "18") AND PipeName:("\\\\isapi_http" "\\\\isapi_dg" "\\\\isapi_dg2" "\\\\sdlrpc" "\\\\ahexec" "\\\\winsession" "\\\\lsassw" "\\\\46a676ab7f179e511e30dd2dc41bd388" "\\\\9f81f59bc58452127884ce513865ed20" "\\\\e710f28d59aa529d6792ca6ff0ca1b34" "\\\\rpchlp_3" "\\\\NamePipe_MoreWindows" "\\\\pcheap_reuse" "\\\\msagent_*"))
+(EventID:("17" "18") AND PipeName.keyword:(\\\\isapi_http \\\\isapi_dg \\\\isapi_dg2 \\\\sdlrpc \\\\ahexec \\\\winsession \\\\lsassw \\\\46a676ab7f179e511e30dd2dc41bd388 \\\\9f81f59bc58452127884ce513865ed20 \\\\e710f28d59aa529d6792ca6ff0ca1b34 \\\\rpchlp_3 \\\\NamePipe_MoreWindows \\\\pcheap_reuse \\\\msagent_*))
 ```
 
 
@@ -96,7 +97,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID IN ["17", "18"] PipeName IN ["\\\\isapi_http", "\\\\isapi_dg", "\\\\isapi_dg2", "\\\\sdlrpc", "\\\\ahexec", "\\\\winsession", "\\\\lsassw", "\\\\46a676ab7f179e511e30dd2dc41bd388", "\\\\9f81f59bc58452127884ce513865ed20", "\\\\e710f28d59aa529d6792ca6ff0ca1b34", "\\\\rpchlp_3", "\\\\NamePipe_MoreWindows", "\\\\pcheap_reuse", "\\\\msagent_*"])
+(event_id IN ["17", "18"] PipeName IN ["\\\\isapi_http", "\\\\isapi_dg", "\\\\isapi_dg2", "\\\\sdlrpc", "\\\\ahexec", "\\\\winsession", "\\\\lsassw", "\\\\46a676ab7f179e511e30dd2dc41bd388", "\\\\9f81f59bc58452127884ce513865ed20", "\\\\e710f28d59aa529d6792ca6ff0ca1b34", "\\\\rpchlp_3", "\\\\NamePipe_MoreWindows", "\\\\pcheap_reuse", "\\\\msagent_*"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md
index 159f035..7eabe93 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_backconnect_ports.md
@@ -19,6 +19,7 @@
 
 ```
 title: Suspicious Typical Malware Back Connect Ports
+id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
 status: experimental
 description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
 references:
@@ -35,6 +36,7 @@ logsource:
 detection:
     selection:
         EventID: 3
+        Initiated: 'true'
         DestinationPort:
             - '4443'
             - '2448'
@@ -124,42 +126,42 @@ level: medium
 ### es-qs
     
 ```
-((EventID:"3" AND DestinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((Image.keyword:*\\\\Program\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false")))))
+((EventID:"3" AND Initiated:"true" AND DestinationPort:("4443" OR "2448" OR "8143" OR "1777" OR "1443" OR "243" OR "65535" OR "13506" OR "3360" OR "200" OR "198" OR "49180" OR "13507" OR "6625" OR "4444" OR "4438" OR "1904" OR "13505" OR "13504" OR "12102" OR "9631" OR "5445" OR "2443" OR "777" OR "13394" OR "13145" OR "12103" OR "5552" OR "3939" OR "3675" OR "666" OR "473" OR "5649" OR "4455" OR "4433" OR "1817" OR "100" OR "65520" OR "1960" OR "1515" OR "743" OR "700" OR "14154" OR "14103" OR "14102" OR "12322" OR "10101" OR "7210" OR "4040" OR "9943")) AND (NOT ((Image.keyword:*\\\\Program\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:"false")))))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Typical-Malware-Back-Connect-Ports <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Typical Malware Back Connect Ports",\n    "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases",\n    "tags": [\n      "attack.command_and_control",\n      "attack.t1043"\n    ],\n    "query": "((EventID:\\"3\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Typical Malware Back Connect Ports\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Typical-Malware-Back-Connect-Ports <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Typical Malware Back Connect Ports",\n    "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases",\n    "tags": [\n      "attack.command_and_control",\n      "attack.t1043"\n    ],\n    "query": "((EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationPort:(\\"4443\\" OR \\"2448\\" OR \\"8143\\" OR \\"1777\\" OR \\"1443\\" OR \\"243\\" OR \\"65535\\" OR \\"13506\\" OR \\"3360\\" OR \\"200\\" OR \\"198\\" OR \\"49180\\" OR \\"13507\\" OR \\"6625\\" OR \\"4444\\" OR \\"4438\\" OR \\"1904\\" OR \\"13505\\" OR \\"13504\\" OR \\"12102\\" OR \\"9631\\" OR \\"5445\\" OR \\"2443\\" OR \\"777\\" OR \\"13394\\" OR \\"13145\\" OR \\"12103\\" OR \\"5552\\" OR \\"3939\\" OR \\"3675\\" OR \\"666\\" OR \\"473\\" OR \\"5649\\" OR \\"4455\\" OR \\"4433\\" OR \\"1817\\" OR \\"100\\" OR \\"65520\\" OR \\"1960\\" OR \\"1515\\" OR \\"743\\" OR \\"700\\" OR \\"14154\\" OR \\"14103\\" OR \\"14102\\" OR \\"12322\\" OR \\"10101\\" OR \\"7210\\" OR \\"4040\\" OR \\"9943\\")) AND (NOT ((Image.keyword:*\\\\\\\\Program\\\\ Files* OR (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND DestinationIsIpv6:\\"false\\")))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Typical Malware Back Connect Ports\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-((EventID:"3" AND DestinationPort:("4443" "2448" "8143" "1777" "1443" "243" "65535" "13506" "3360" "200" "198" "49180" "13507" "6625" "4444" "4438" "1904" "13505" "13504" "12102" "9631" "5445" "2443" "777" "13394" "13145" "12103" "5552" "3939" "3675" "666" "473" "5649" "4455" "4433" "1817" "100" "65520" "1960" "1515" "743" "700" "14154" "14103" "14102" "12322" "10101" "7210" "4040" "9943")) AND NOT ((Image:"*\\\\Program Files*" OR (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.*") AND DestinationIsIpv6:"false"))))
+((EventID:"3" AND Initiated:"true" AND DestinationPort:("4443" "2448" "8143" "1777" "1443" "243" "65535" "13506" "3360" "200" "198" "49180" "13507" "6625" "4444" "4438" "1904" "13505" "13504" "12102" "9631" "5445" "2443" "777" "13394" "13145" "12103" "5552" "3939" "3675" "666" "473" "5649" "4455" "4433" "1817" "100" "65520" "1960" "1515" "743" "700" "14154" "14103" "14102" "12322" "10101" "7210" "4040" "9943")) AND (NOT ((Image.keyword:*\\\\Program Files* OR (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*) AND DestinationIsIpv6:"false")))))
 ```
 
 
 ### splunk
     
 ```
-((EventID="3" (DestinationPort="4443" OR DestinationPort="2448" OR DestinationPort="8143" OR DestinationPort="1777" OR DestinationPort="1443" OR DestinationPort="243" OR DestinationPort="65535" OR DestinationPort="13506" OR DestinationPort="3360" OR DestinationPort="200" OR DestinationPort="198" OR DestinationPort="49180" OR DestinationPort="13507" OR DestinationPort="6625" OR DestinationPort="4444" OR DestinationPort="4438" OR DestinationPort="1904" OR DestinationPort="13505" OR DestinationPort="13504" OR DestinationPort="12102" OR DestinationPort="9631" OR DestinationPort="5445" OR DestinationPort="2443" OR DestinationPort="777" OR DestinationPort="13394" OR DestinationPort="13145" OR DestinationPort="12103" OR DestinationPort="5552" OR DestinationPort="3939" OR DestinationPort="3675" OR DestinationPort="666" OR DestinationPort="473" OR DestinationPort="5649" OR DestinationPort="4455" OR DestinationPort="4433" OR DestinationPort="1817" OR DestinationPort="100" OR DestinationPort="65520" OR DestinationPort="1960" OR DestinationPort="1515" OR DestinationPort="743" OR DestinationPort="700" OR DestinationPort="14154" OR DestinationPort="14103" OR DestinationPort="14102" OR DestinationPort="12322" OR DestinationPort="10101" OR DestinationPort="7210" OR DestinationPort="4040" OR DestinationPort="9943")) NOT ((Image="*\\\\Program Files*" OR ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*") DestinationIsIpv6="false"))))
+((EventID="3" Initiated="true" (DestinationPort="4443" OR DestinationPort="2448" OR DestinationPort="8143" OR DestinationPort="1777" OR DestinationPort="1443" OR DestinationPort="243" OR DestinationPort="65535" OR DestinationPort="13506" OR DestinationPort="3360" OR DestinationPort="200" OR DestinationPort="198" OR DestinationPort="49180" OR DestinationPort="13507" OR DestinationPort="6625" OR DestinationPort="4444" OR DestinationPort="4438" OR DestinationPort="1904" OR DestinationPort="13505" OR DestinationPort="13504" OR DestinationPort="12102" OR DestinationPort="9631" OR DestinationPort="5445" OR DestinationPort="2443" OR DestinationPort="777" OR DestinationPort="13394" OR DestinationPort="13145" OR DestinationPort="12103" OR DestinationPort="5552" OR DestinationPort="3939" OR DestinationPort="3675" OR DestinationPort="666" OR DestinationPort="473" OR DestinationPort="5649" OR DestinationPort="4455" OR DestinationPort="4433" OR DestinationPort="1817" OR DestinationPort="100" OR DestinationPort="65520" OR DestinationPort="1960" OR DestinationPort="1515" OR DestinationPort="743" OR DestinationPort="700" OR DestinationPort="14154" OR DestinationPort="14103" OR DestinationPort="14102" OR DestinationPort="12322" OR DestinationPort="10101" OR DestinationPort="7210" OR DestinationPort="4040" OR DestinationPort="9943")) NOT ((Image="*\\\\Program Files*" OR ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*") DestinationIsIpv6="false"))))
 ```
 
 
 ### logpoint
     
 ```
-((EventID="3" DestinationPort IN ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506", "3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505", "13504", "12102", "9631", "5445", "2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649", "4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103", "14102", "12322", "10101", "7210", "4040", "9943"])  -((Image="*\\\\Program Files*" OR (DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"] DestinationIsIpv6="false"))))
+((event_id="3" Initiated="true" DestinationPort IN ["4443", "2448", "8143", "1777", "1443", "243", "65535", "13506", "3360", "200", "198", "49180", "13507", "6625", "4444", "4438", "1904", "13505", "13504", "12102", "9631", "5445", "2443", "777", "13394", "13145", "12103", "5552", "3939", "3675", "666", "473", "5649", "4455", "4433", "1817", "100", "65520", "1960", "1515", "743", "700", "14154", "14103", "14102", "12322", "10101", "7210", "4040", "9943"])  -((Image="*\\\\Program Files*" OR (DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"] DestinationIsIpv6="false"))))
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*(?:.*4443|.*2448|.*8143|.*1777|.*1443|.*243|.*65535|.*13506|.*3360|.*200|.*198|.*49180|.*13507|.*6625|.*4444|.*4438|.*1904|.*13505|.*13504|.*12102|.*9631|.*5445|.*2443|.*777|.*13394|.*13145|.*12103|.*5552|.*3939|.*3675|.*666|.*473|.*5649|.*4455|.*4433|.*1817|.*100|.*65520|.*1960|.*1515|.*743|.*700|.*14154|.*14103|.*14102|.*12322|.*10101|.*7210|.*4040|.*9943))))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\Program Files.*|.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))(?=.*false))))))))'
+grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*true)(?=.*(?:.*4443|.*2448|.*8143|.*1777|.*1443|.*243|.*65535|.*13506|.*3360|.*200|.*198|.*49180|.*13507|.*6625|.*4444|.*4438|.*1904|.*13505|.*13504|.*12102|.*9631|.*5445|.*2443|.*777|.*13394|.*13145|.*12103|.*5552|.*3939|.*3675|.*666|.*473|.*5649|.*4455|.*4433|.*1817|.*100|.*65520|.*1960|.*1515|.*743|.*700|.*14154|.*14103|.*14102|.*12322|.*10101|.*7210|.*4040|.*9943))))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\Program Files.*|.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))(?=.*false))))))))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md
index 4a5a58b..317fcb8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md
@@ -19,6 +19,7 @@
 
 ```
 title: Malware Shellcode in Verclsid Target Process
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
 status: experimental
 description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
 references:
@@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-((EventID:"10" AND TargetImage:"*\\\\verclsid.exe" AND GrantedAccess:"0x1FFFFF") AND (CallTrace:"*|UNKNOWN\\(*VBE7.DLL*" OR (SourceImage:"*\\\\Microsoft Office\\\\*" AND CallTrace:"*|UNKNOWN*")))
+((EventID:"10" AND TargetImage.keyword:*\\\\verclsid.exe AND GrantedAccess:"0x1FFFFF") AND (CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\Microsoft Office\\\\* AND CallTrace.keyword:*|UNKNOWN*)))
 ```
 
 
@@ -87,7 +88,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-((EventID="10" TargetImage="*\\\\verclsid.exe" GrantedAccess="0x1FFFFF") (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="*\\\\Microsoft Office\\\\*" CallTrace="*|UNKNOWN*")))
+((event_id="10" TargetImage="*\\\\verclsid.exe" GrantedAccess="0x1FFFFF") (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="*\\\\Microsoft Office\\\\*" CallTrace="*|UNKNOWN*")))
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md
index 8941e6a..cbf2020 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_detection_lsass.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow](https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow)</li><li>[https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html)</li></ul>  |
 | Author               |  Author of this Detection Rule haven't introduced himself  |
-| Other Tags           | <ul><li>attack.s0002</li><li>attack.s0002</li><li>car.2019-04-004</li><li>car.2019-04-004</li></ul> | 
+| Other Tags           | <ul><li>attack.s0002</li><li>car.2019-04-004</li></ul> | 
 
 ## Detection Rules
 
@@ -19,8 +19,10 @@
 
 ```
 title: Mimikatz Detection LSASS Access
+id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
 status: experimental
-description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
+description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
+    versions", 0x0010 PROCESS_VM_READ)
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -81,7 +83,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess IN ["0x1410", "0x1010"])
+(event_id="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" GrantedAccess IN ["0x1410", "0x1010"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md
index 4fd604c..f571b6d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_inmemory_detection.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/](https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/)</li></ul>  |
 | Author               |  Author of this Detection Rule haven't introduced himself  |
-| Other Tags           | <ul><li>attack.s0002</li><li>attack.s0002</li><li>car.2019-04-004</li><li>car.2019-04-004</li></ul> | 
+| Other Tags           | <ul><li>attack.s0002</li><li>car.2019-04-004</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: Mimikatz In-Memory
+id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e
 status: experimental
 description: Detects certain DLL loads when Mimikatz gets executed
 references:
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md
index 33a72e9..3c20cc0 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_mimikatz_trough_winrm.md
@@ -11,14 +11,15 @@
 | Development Status   | stable |
 | References           | <ul><li>[https://pentestlab.blog/2018/05/15/lateral-movement-winrm/](https://pentestlab.blog/2018/05/15/lateral-movement-winrm/)</li></ul>  |
 | Author               | Patryk Prauze - ING Tech |
-| Other Tags           | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> | 
+| Other Tags           | <ul><li>attack.s0005</li></ul> | 
 
 ## Detection Rules
 
 ### Sigma rule
 
 ```
-title: Mimikatz through Windows Remote Management  
+title: Mimikatz through Windows Remote Management
+id: aa35a627-33fb-4d04-a165-d33b4afca3e8
 description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
 references:
     - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
@@ -80,7 +81,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" SourceImage="C:\\\\Windows\\\\system32\\\\wsmprovhost.exe")
+(event_id="10" TargetImage="C:\\\\windows\\\\system32\\\\lsass.exe" SourceImage="C:\\\\Windows\\\\system32\\\\wsmprovhost.exe")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
index 4460799..ec47090 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_password_dumper_lsass.md
@@ -11,15 +11,17 @@
 | Development Status   | stable |
 | References           | <ul><li>[https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm](https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm)</li></ul>  |
 | Author               | Thomas Patzke |
-| Other Tags           | <ul><li>attack.s0005</li><li>attack.s0005</li></ul> | 
+| Other Tags           | <ul><li>attack.s0005</li></ul> | 
 
 ## Detection Rules
 
 ### Sigma rule
 
 ```
-title: Password Dumper Remote Thread in LSASS 
-description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
+title: Password Dumper Remote Thread in LSASS
+id: f239b326-2f41-4d6b-9dfa-c846a60ef505
+description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process
+    in field Process is the malicious program. A single execution can lead to hundreds of events.
 references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
 status: stable
@@ -78,7 +80,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="8" TargetImage="C:\\\\Windows\\\\System32\\\\lsass.exe" -StartModule=*)
+(event_id="8" TargetImage="C:\\\\Windows\\\\System32\\\\lsass.exe" -StartModule=*)
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_exploit_scripts.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_exploit_scripts.md
index 0320760..ea7f23c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_exploit_scripts.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_exploit_scripts.md
@@ -19,6 +19,7 @@
 
 ```
 title: Malicious PowerShell Commandlet Names
+id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
 status: experimental
 description: Detects the creation of known powershell scripts for exploitation
 references:
@@ -159,7 +160,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"11" AND TargetFilename:("*\\\\Invoke\\-DllInjection.ps1" "*\\\\Invoke\\-WmiCommand.ps1" "*\\\\Get\\-GPPPassword.ps1" "*\\\\Get\\-Keystrokes.ps1" "*\\\\Get\\-VaultCredential.ps1" "*\\\\Invoke\\-CredentialInjection.ps1" "*\\\\Invoke\\-Mimikatz.ps1" "*\\\\Invoke\\-NinjaCopy.ps1" "*\\\\Invoke\\-TokenManipulation.ps1" "*\\\\Out\\-Minidump.ps1" "*\\\\VolumeShadowCopyTools.ps1" "*\\\\Invoke\\-ReflectivePEInjection.ps1" "*\\\\Get\\-TimedScreenshot.ps1" "*\\\\Invoke\\-UserHunter.ps1" "*\\\\Find\\-GPOLocation.ps1" "*\\\\Invoke\\-ACLScanner.ps1" "*\\\\Invoke\\-DowngradeAccount.ps1" "*\\\\Get\\-ServiceUnquoted.ps1" "*\\\\Get\\-ServiceFilePermission.ps1" "*\\\\Get\\-ServicePermission.ps1" "*\\\\Invoke\\-ServiceAbuse.ps1" "*\\\\Install\\-ServiceBinary.ps1" "*\\\\Get\\-RegAutoLogon.ps1" "*\\\\Get\\-VulnAutoRun.ps1" "*\\\\Get\\-VulnSchTask.ps1" "*\\\\Get\\-UnattendedInstallFile.ps1" "*\\\\Get\\-WebConfig.ps1" "*\\\\Get\\-ApplicationHost.ps1" "*\\\\Get\\-RegAlwaysInstallElevated.ps1" "*\\\\Get\\-Unconstrained.ps1" "*\\\\Add\\-RegBackdoor.ps1" "*\\\\Add\\-ScrnSaveBackdoor.ps1" "*\\\\Gupt\\-Backdoor.ps1" "*\\\\Invoke\\-ADSBackdoor.ps1" "*\\\\Enabled\\-DuplicateToken.ps1" "*\\\\Invoke\\-PsUaCme.ps1" "*\\\\Remove\\-Update.ps1" "*\\\\Check\\-VM.ps1" "*\\\\Get\\-LSASecret.ps1" "*\\\\Get\\-PassHashes.ps1" "*\\\\Show\\-TargetScreen.ps1" "*\\\\Port\\-Scan.ps1" "*\\\\Invoke\\-PoshRatHttp.ps1" "*\\\\Invoke\\-PowerShellTCP.ps1" "*\\\\Invoke\\-PowerShellWMI.ps1" "*\\\\Add\\-Exfiltration.ps1" "*\\\\Add\\-Persistence.ps1" "*\\\\Do\\-Exfiltration.ps1" "*\\\\Start\\-CaptureServer.ps1" "*\\\\Invoke\\-ShellCode.ps1" "*\\\\Get\\-ChromeDump.ps1" "*\\\\Get\\-ClipboardContents.ps1" "*\\\\Get\\-FoxDump.ps1" "*\\\\Get\\-IndexedItem.ps1" "*\\\\Get\\-Screenshot.ps1" "*\\\\Invoke\\-Inveigh.ps1" "*\\\\Invoke\\-NetRipper.ps1" "*\\\\Invoke\\-EgressCheck.ps1" "*\\\\Invoke\\-PostExfil.ps1" "*\\\\Invoke\\-PSInject.ps1" "*\\\\Invoke\\-RunAs.ps1" "*\\\\MailRaider.ps1" "*\\\\New\\-HoneyHash.ps1" "*\\\\Set\\-MacAttribute.ps1" "*\\\\Invoke\\-DCSync.ps1" "*\\\\Invoke\\-PowerDump.ps1" "*\\\\Exploit\\-Jboss.ps1" "*\\\\Invoke\\-ThunderStruck.ps1" "*\\\\Invoke\\-VoiceTroll.ps1" "*\\\\Set\\-Wallpaper.ps1" "*\\\\Invoke\\-InveighRelay.ps1" "*\\\\Invoke\\-PsExec.ps1" "*\\\\Invoke\\-SSHCommand.ps1" "*\\\\Get\\-SecurityPackages.ps1" "*\\\\Install\\-SSP.ps1" "*\\\\Invoke\\-BackdoorLNK.ps1" "*\\\\PowerBreach.ps1" "*\\\\Get\\-SiteListPassword.ps1" "*\\\\Get\\-System.ps1" "*\\\\Invoke\\-BypassUAC.ps1" "*\\\\Invoke\\-Tater.ps1" "*\\\\Invoke\\-WScriptBypassUAC.ps1" "*\\\\PowerUp.ps1" "*\\\\PowerView.ps1" "*\\\\Get\\-RickAstley.ps1" "*\\\\Find\\-Fruit.ps1" "*\\\\HTTP\\-Login.ps1" "*\\\\Find\\-TrustedDocuments.ps1" "*\\\\Invoke\\-Paranoia.ps1" "*\\\\Invoke\\-WinEnum.ps1" "*\\\\Invoke\\-ARPScan.ps1" "*\\\\Invoke\\-PortScan.ps1" "*\\\\Invoke\\-ReverseDNSLookup.ps1" "*\\\\Invoke\\-SMBScanner.ps1" "*\\\\Invoke\\-Mimikittenz.ps1"))
+(EventID:"11" AND TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 *\\\\Invoke\\-WmiCommand.ps1 *\\\\Get\\-GPPPassword.ps1 *\\\\Get\\-Keystrokes.ps1 *\\\\Get\\-VaultCredential.ps1 *\\\\Invoke\\-CredentialInjection.ps1 *\\\\Invoke\\-Mimikatz.ps1 *\\\\Invoke\\-NinjaCopy.ps1 *\\\\Invoke\\-TokenManipulation.ps1 *\\\\Out\\-Minidump.ps1 *\\\\VolumeShadowCopyTools.ps1 *\\\\Invoke\\-ReflectivePEInjection.ps1 *\\\\Get\\-TimedScreenshot.ps1 *\\\\Invoke\\-UserHunter.ps1 *\\\\Find\\-GPOLocation.ps1 *\\\\Invoke\\-ACLScanner.ps1 *\\\\Invoke\\-DowngradeAccount.ps1 *\\\\Get\\-ServiceUnquoted.ps1 *\\\\Get\\-ServiceFilePermission.ps1 *\\\\Get\\-ServicePermission.ps1 *\\\\Invoke\\-ServiceAbuse.ps1 *\\\\Install\\-ServiceBinary.ps1 *\\\\Get\\-RegAutoLogon.ps1 *\\\\Get\\-VulnAutoRun.ps1 *\\\\Get\\-VulnSchTask.ps1 *\\\\Get\\-UnattendedInstallFile.ps1 *\\\\Get\\-WebConfig.ps1 *\\\\Get\\-ApplicationHost.ps1 *\\\\Get\\-RegAlwaysInstallElevated.ps1 *\\\\Get\\-Unconstrained.ps1 *\\\\Add\\-RegBackdoor.ps1 *\\\\Add\\-ScrnSaveBackdoor.ps1 *\\\\Gupt\\-Backdoor.ps1 *\\\\Invoke\\-ADSBackdoor.ps1 *\\\\Enabled\\-DuplicateToken.ps1 *\\\\Invoke\\-PsUaCme.ps1 *\\\\Remove\\-Update.ps1 *\\\\Check\\-VM.ps1 *\\\\Get\\-LSASecret.ps1 *\\\\Get\\-PassHashes.ps1 *\\\\Show\\-TargetScreen.ps1 *\\\\Port\\-Scan.ps1 *\\\\Invoke\\-PoshRatHttp.ps1 *\\\\Invoke\\-PowerShellTCP.ps1 *\\\\Invoke\\-PowerShellWMI.ps1 *\\\\Add\\-Exfiltration.ps1 *\\\\Add\\-Persistence.ps1 *\\\\Do\\-Exfiltration.ps1 *\\\\Start\\-CaptureServer.ps1 *\\\\Invoke\\-ShellCode.ps1 *\\\\Get\\-ChromeDump.ps1 *\\\\Get\\-ClipboardContents.ps1 *\\\\Get\\-FoxDump.ps1 *\\\\Get\\-IndexedItem.ps1 *\\\\Get\\-Screenshot.ps1 *\\\\Invoke\\-Inveigh.ps1 *\\\\Invoke\\-NetRipper.ps1 *\\\\Invoke\\-EgressCheck.ps1 *\\\\Invoke\\-PostExfil.ps1 *\\\\Invoke\\-PSInject.ps1 *\\\\Invoke\\-RunAs.ps1 *\\\\MailRaider.ps1 *\\\\New\\-HoneyHash.ps1 *\\\\Set\\-MacAttribute.ps1 *\\\\Invoke\\-DCSync.ps1 *\\\\Invoke\\-PowerDump.ps1 *\\\\Exploit\\-Jboss.ps1 *\\\\Invoke\\-ThunderStruck.ps1 *\\\\Invoke\\-VoiceTroll.ps1 *\\\\Set\\-Wallpaper.ps1 *\\\\Invoke\\-InveighRelay.ps1 *\\\\Invoke\\-PsExec.ps1 *\\\\Invoke\\-SSHCommand.ps1 *\\\\Get\\-SecurityPackages.ps1 *\\\\Install\\-SSP.ps1 *\\\\Invoke\\-BackdoorLNK.ps1 *\\\\PowerBreach.ps1 *\\\\Get\\-SiteListPassword.ps1 *\\\\Get\\-System.ps1 *\\\\Invoke\\-BypassUAC.ps1 *\\\\Invoke\\-Tater.ps1 *\\\\Invoke\\-WScriptBypassUAC.ps1 *\\\\PowerUp.ps1 *\\\\PowerView.ps1 *\\\\Get\\-RickAstley.ps1 *\\\\Find\\-Fruit.ps1 *\\\\HTTP\\-Login.ps1 *\\\\Find\\-TrustedDocuments.ps1 *\\\\Invoke\\-Paranoia.ps1 *\\\\Invoke\\-WinEnum.ps1 *\\\\Invoke\\-ARPScan.ps1 *\\\\Invoke\\-PortScan.ps1 *\\\\Invoke\\-ReverseDNSLookup.ps1 *\\\\Invoke\\-SMBScanner.ps1 *\\\\Invoke\\-Mimikittenz.ps1))
 ```
 
 
@@ -173,7 +174,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="11" TargetFilename IN ["*\\\\Invoke-DllInjection.ps1", "*\\\\Invoke-WmiCommand.ps1", "*\\\\Get-GPPPassword.ps1", "*\\\\Get-Keystrokes.ps1", "*\\\\Get-VaultCredential.ps1", "*\\\\Invoke-CredentialInjection.ps1", "*\\\\Invoke-Mimikatz.ps1", "*\\\\Invoke-NinjaCopy.ps1", "*\\\\Invoke-TokenManipulation.ps1", "*\\\\Out-Minidump.ps1", "*\\\\VolumeShadowCopyTools.ps1", "*\\\\Invoke-ReflectivePEInjection.ps1", "*\\\\Get-TimedScreenshot.ps1", "*\\\\Invoke-UserHunter.ps1", "*\\\\Find-GPOLocation.ps1", "*\\\\Invoke-ACLScanner.ps1", "*\\\\Invoke-DowngradeAccount.ps1", "*\\\\Get-ServiceUnquoted.ps1", "*\\\\Get-ServiceFilePermission.ps1", "*\\\\Get-ServicePermission.ps1", "*\\\\Invoke-ServiceAbuse.ps1", "*\\\\Install-ServiceBinary.ps1", "*\\\\Get-RegAutoLogon.ps1", "*\\\\Get-VulnAutoRun.ps1", "*\\\\Get-VulnSchTask.ps1", "*\\\\Get-UnattendedInstallFile.ps1", "*\\\\Get-WebConfig.ps1", "*\\\\Get-ApplicationHost.ps1", "*\\\\Get-RegAlwaysInstallElevated.ps1", "*\\\\Get-Unconstrained.ps1", "*\\\\Add-RegBackdoor.ps1", "*\\\\Add-ScrnSaveBackdoor.ps1", "*\\\\Gupt-Backdoor.ps1", "*\\\\Invoke-ADSBackdoor.ps1", "*\\\\Enabled-DuplicateToken.ps1", "*\\\\Invoke-PsUaCme.ps1", "*\\\\Remove-Update.ps1", "*\\\\Check-VM.ps1", "*\\\\Get-LSASecret.ps1", "*\\\\Get-PassHashes.ps1", "*\\\\Show-TargetScreen.ps1", "*\\\\Port-Scan.ps1", "*\\\\Invoke-PoshRatHttp.ps1", "*\\\\Invoke-PowerShellTCP.ps1", "*\\\\Invoke-PowerShellWMI.ps1", "*\\\\Add-Exfiltration.ps1", "*\\\\Add-Persistence.ps1", "*\\\\Do-Exfiltration.ps1", "*\\\\Start-CaptureServer.ps1", "*\\\\Invoke-ShellCode.ps1", "*\\\\Get-ChromeDump.ps1", "*\\\\Get-ClipboardContents.ps1", "*\\\\Get-FoxDump.ps1", "*\\\\Get-IndexedItem.ps1", "*\\\\Get-Screenshot.ps1", "*\\\\Invoke-Inveigh.ps1", "*\\\\Invoke-NetRipper.ps1", "*\\\\Invoke-EgressCheck.ps1", "*\\\\Invoke-PostExfil.ps1", "*\\\\Invoke-PSInject.ps1", "*\\\\Invoke-RunAs.ps1", "*\\\\MailRaider.ps1", "*\\\\New-HoneyHash.ps1", "*\\\\Set-MacAttribute.ps1", "*\\\\Invoke-DCSync.ps1", "*\\\\Invoke-PowerDump.ps1", "*\\\\Exploit-Jboss.ps1", "*\\\\Invoke-ThunderStruck.ps1", "*\\\\Invoke-VoiceTroll.ps1", "*\\\\Set-Wallpaper.ps1", "*\\\\Invoke-InveighRelay.ps1", "*\\\\Invoke-PsExec.ps1", "*\\\\Invoke-SSHCommand.ps1", "*\\\\Get-SecurityPackages.ps1", "*\\\\Install-SSP.ps1", "*\\\\Invoke-BackdoorLNK.ps1", "*\\\\PowerBreach.ps1", "*\\\\Get-SiteListPassword.ps1", "*\\\\Get-System.ps1", "*\\\\Invoke-BypassUAC.ps1", "*\\\\Invoke-Tater.ps1", "*\\\\Invoke-WScriptBypassUAC.ps1", "*\\\\PowerUp.ps1", "*\\\\PowerView.ps1", "*\\\\Get-RickAstley.ps1", "*\\\\Find-Fruit.ps1", "*\\\\HTTP-Login.ps1", "*\\\\Find-TrustedDocuments.ps1", "*\\\\Invoke-Paranoia.ps1", "*\\\\Invoke-WinEnum.ps1", "*\\\\Invoke-ARPScan.ps1", "*\\\\Invoke-PortScan.ps1", "*\\\\Invoke-ReverseDNSLookup.ps1", "*\\\\Invoke-SMBScanner.ps1", "*\\\\Invoke-Mimikittenz.ps1"])
+(event_id="11" TargetFilename IN ["*\\\\Invoke-DllInjection.ps1", "*\\\\Invoke-WmiCommand.ps1", "*\\\\Get-GPPPassword.ps1", "*\\\\Get-Keystrokes.ps1", "*\\\\Get-VaultCredential.ps1", "*\\\\Invoke-CredentialInjection.ps1", "*\\\\Invoke-Mimikatz.ps1", "*\\\\Invoke-NinjaCopy.ps1", "*\\\\Invoke-TokenManipulation.ps1", "*\\\\Out-Minidump.ps1", "*\\\\VolumeShadowCopyTools.ps1", "*\\\\Invoke-ReflectivePEInjection.ps1", "*\\\\Get-TimedScreenshot.ps1", "*\\\\Invoke-UserHunter.ps1", "*\\\\Find-GPOLocation.ps1", "*\\\\Invoke-ACLScanner.ps1", "*\\\\Invoke-DowngradeAccount.ps1", "*\\\\Get-ServiceUnquoted.ps1", "*\\\\Get-ServiceFilePermission.ps1", "*\\\\Get-ServicePermission.ps1", "*\\\\Invoke-ServiceAbuse.ps1", "*\\\\Install-ServiceBinary.ps1", "*\\\\Get-RegAutoLogon.ps1", "*\\\\Get-VulnAutoRun.ps1", "*\\\\Get-VulnSchTask.ps1", "*\\\\Get-UnattendedInstallFile.ps1", "*\\\\Get-WebConfig.ps1", "*\\\\Get-ApplicationHost.ps1", "*\\\\Get-RegAlwaysInstallElevated.ps1", "*\\\\Get-Unconstrained.ps1", "*\\\\Add-RegBackdoor.ps1", "*\\\\Add-ScrnSaveBackdoor.ps1", "*\\\\Gupt-Backdoor.ps1", "*\\\\Invoke-ADSBackdoor.ps1", "*\\\\Enabled-DuplicateToken.ps1", "*\\\\Invoke-PsUaCme.ps1", "*\\\\Remove-Update.ps1", "*\\\\Check-VM.ps1", "*\\\\Get-LSASecret.ps1", "*\\\\Get-PassHashes.ps1", "*\\\\Show-TargetScreen.ps1", "*\\\\Port-Scan.ps1", "*\\\\Invoke-PoshRatHttp.ps1", "*\\\\Invoke-PowerShellTCP.ps1", "*\\\\Invoke-PowerShellWMI.ps1", "*\\\\Add-Exfiltration.ps1", "*\\\\Add-Persistence.ps1", "*\\\\Do-Exfiltration.ps1", "*\\\\Start-CaptureServer.ps1", "*\\\\Invoke-ShellCode.ps1", "*\\\\Get-ChromeDump.ps1", "*\\\\Get-ClipboardContents.ps1", "*\\\\Get-FoxDump.ps1", "*\\\\Get-IndexedItem.ps1", "*\\\\Get-Screenshot.ps1", "*\\\\Invoke-Inveigh.ps1", "*\\\\Invoke-NetRipper.ps1", "*\\\\Invoke-EgressCheck.ps1", "*\\\\Invoke-PostExfil.ps1", "*\\\\Invoke-PSInject.ps1", "*\\\\Invoke-RunAs.ps1", "*\\\\MailRaider.ps1", "*\\\\New-HoneyHash.ps1", "*\\\\Set-MacAttribute.ps1", "*\\\\Invoke-DCSync.ps1", "*\\\\Invoke-PowerDump.ps1", "*\\\\Exploit-Jboss.ps1", "*\\\\Invoke-ThunderStruck.ps1", "*\\\\Invoke-VoiceTroll.ps1", "*\\\\Set-Wallpaper.ps1", "*\\\\Invoke-InveighRelay.ps1", "*\\\\Invoke-PsExec.ps1", "*\\\\Invoke-SSHCommand.ps1", "*\\\\Get-SecurityPackages.ps1", "*\\\\Install-SSP.ps1", "*\\\\Invoke-BackdoorLNK.ps1", "*\\\\PowerBreach.ps1", "*\\\\Get-SiteListPassword.ps1", "*\\\\Get-System.ps1", "*\\\\Invoke-BypassUAC.ps1", "*\\\\Invoke-Tater.ps1", "*\\\\Invoke-WScriptBypassUAC.ps1", "*\\\\PowerUp.ps1", "*\\\\PowerView.ps1", "*\\\\Get-RickAstley.ps1", "*\\\\Find-Fruit.ps1", "*\\\\HTTP-Login.ps1", "*\\\\Find-TrustedDocuments.ps1", "*\\\\Invoke-Paranoia.ps1", "*\\\\Invoke-WinEnum.ps1", "*\\\\Invoke-ARPScan.ps1", "*\\\\Invoke-PortScan.ps1", "*\\\\Invoke-ReverseDNSLookup.ps1", "*\\\\Invoke-SMBScanner.ps1", "*\\\\Invoke-Mimikittenz.ps1"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_network_connection.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_network_connection.md
index 18b92aa..dcb4a67 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_network_connection.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_powershell_network_connection.md
@@ -19,8 +19,10 @@
 
 ```
 title: PowerShell Network Connections
+id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
 status: experimental
-description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
+description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g.
+    extend filters with company's ip range')
 author: Florian Roth
 references:
     - https://www.youtube.com/watch?v=DLtJTxMWZ2o
@@ -34,6 +36,7 @@ detection:
     selection:
         EventID: 3
         Image: '*\powershell.exe'
+        Initiated: 'true'
     filter:
         DestinationIp: 
             - '10.*'
@@ -71,42 +74,42 @@ level: low
 ### es-qs
     
 ```
-((EventID:"3" AND Image.keyword:*\\\\powershell.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT\\ AUTHORITY\\\\SYSTEM")))
+((EventID:"3" AND Image.keyword:*\\\\powershell.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT\\ AUTHORITY\\\\SYSTEM")))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Network-Connections <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Network Connections",\n    "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Network Connections\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Network-Connections <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Network Connections",\n    "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\powershell.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND DestinationIsIpv6:\\"false\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Network Connections\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-((EventID:"3" AND Image:"*\\\\powershell.exe") AND NOT (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.0.0.1") AND DestinationIsIpv6:"false" AND User:"NT AUTHORITY\\\\SYSTEM"))
+((EventID:"3" AND Image.keyword:*\\\\powershell.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.0.0.1) AND DestinationIsIpv6:"false" AND User:"NT AUTHORITY\\\\SYSTEM")))
 ```
 
 
 ### splunk
     
 ```
-((EventID="3" Image="*\\\\powershell.exe") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.0.0.1") DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
+((EventID="3" Image="*\\\\powershell.exe" Initiated="true") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.0.0.1") DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
 ```
 
 
 ### logpoint
     
 ```
-((EventID="3" Image="*\\\\powershell.exe")  -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.0.0.1"] DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
+((event_id="3" Image="*\\\\powershell.exe" Initiated="true")  -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.0.0.1"] DestinationIsIpv6="false" User="NT AUTHORITY\\\\SYSTEM"))
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\powershell\\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\.0\\.0\\.1))(?=.*false)(?=.*NT AUTHORITY\\SYSTEM)))))'
+grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\powershell\\.exe)(?=.*true)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\.0\\.0\\.1))(?=.*false)(?=.*NT AUTHORITY\\SYSTEM)))))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md
index 37a1e9e..6f9dc82 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_quarkspw_filedump.md
@@ -19,6 +19,7 @@
 
 ```
 title: QuarksPwDump Dump File
+id: 847def9e-924d-4e90-b7c4-5f581395a2b4
 status: experimental
 description: Detects a dump file written by QuarksPwDump password dumper
 references:
@@ -65,7 +66,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"11" AND TargetFilename:"*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*")
+(EventID:"11" AND TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)
 ```
 
 
@@ -79,7 +80,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="11" TargetFilename="*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp*")
+(event_id="11" TargetFilename="*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp*")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md
index 5bdde86..9e40c46 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_reverse_tunnel.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://twitter.com/SBousseaden/status/1096148422984384514](https://twitter.com/SBousseaden/status/1096148422984384514)</li></ul>  |
 | Author               | Samir Bousseaden |
-| Other Tags           | <ul><li>car.2013-07-002</li><li>car.2013-07-002</li></ul> | 
+| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: RDP over Reverse SSH Tunnel
+id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
 status: experimental
 description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
 references:
@@ -37,6 +38,7 @@ detection:
     selection:
         EventID: 3
         Image: '*\svchost.exe'
+        Initiated: 'true'
         SourcePort: 3389 
         DestinationIp:
             - '127.*'
@@ -45,6 +47,7 @@ detection:
 falsepositives:
     - unknown
 level: high
+
 ```
 
 
@@ -54,42 +57,42 @@ level: high
 ### es-qs
     
 ```
-(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND SourcePort:"3389" AND DestinationIp.keyword:(127.* OR \\:\\:1))
+(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND Initiated:"true" AND SourcePort:"3389" AND DestinationIp.keyword:(127.* OR \\:\\:1))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RDP-over-Reverse-SSH-Tunnel <<EOF\n{\n  "metadata": {\n    "title": "RDP over Reverse SSH Tunnel",\n    "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.command_and_control",\n      "attack.t1076",\n      "car.2013-07-002"\n    ],\n    "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'RDP over Reverse SSH Tunnel\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RDP-over-Reverse-SSH-Tunnel <<EOF\n{\n  "metadata": {\n    "title": "RDP over Reverse SSH Tunnel",\n    "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.command_and_control",\n      "attack.t1076",\n      "car.2013-07-002"\n    ],\n    "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND Initiated:\\"true\\" AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"3\\" AND Image.keyword:*\\\\\\\\svchost.exe AND Initiated:\\"true\\" AND SourcePort:\\"3389\\" AND DestinationIp.keyword:(127.* OR \\\\:\\\\:1))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'RDP over Reverse SSH Tunnel\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-(EventID:"3" AND Image:"*\\\\svchost.exe" AND SourcePort:"3389" AND DestinationIp:("127.*" "\\:\\:1"))
+(EventID:"3" AND Image.keyword:*\\\\svchost.exe AND Initiated:"true" AND SourcePort:"3389" AND DestinationIp.keyword:(127.* \\:\\:1))
 ```
 
 
 ### splunk
     
 ```
-(EventID="3" Image="*\\\\svchost.exe" SourcePort="3389" (DestinationIp="127.*" OR DestinationIp="::1"))
+(EventID="3" Image="*\\\\svchost.exe" Initiated="true" SourcePort="3389" (DestinationIp="127.*" OR DestinationIp="::1"))
 ```
 
 
 ### logpoint
     
 ```
-(EventID="3" Image="*\\\\svchost.exe" SourcePort="3389" DestinationIp IN ["127.*", "::1"])
+(event_id="3" Image="*\\\\svchost.exe" Initiated="true" SourcePort="3389" DestinationIp IN ["127.*", "::1"])
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*3)(?=.*.*\\svchost\\.exe)(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))'
+grep -P '^(?:.*(?=.*3)(?=.*.*\\svchost\\.exe)(?=.*true)(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md
index 5daf5cc..eeccece 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_rdp_settings_hijack.md
@@ -19,18 +19,19 @@
 
 ```
 title: RDP Sensitive Settings Changed
+id: 171b67e1-74b4-460e-8d55-b331f3e32d67
 description: Detects changes to RDP terminal service sensitive settings
 references:
     - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html
 date: 2019/04/03
 author: Samir Bousseaden
 logsource:
-   product: windows
-   service: sysmon
+    product: windows
+    service: sysmon
 detection:
     selection_reg:
-        EventID: 13 
-        TargetObject: 
+        EventID: 13
+        TargetObject:
             - '*\services\TermService\Parameters\ServiceDll*'
             - '*\Control\Terminal Server\fSingleSessionPerUser*'
             - '*\Control\Terminal Server\fDenyTSConnections*'
@@ -64,7 +65,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:("*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll*" "*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser*" "*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*"))
+(EventID:"13" AND TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* *\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser* *\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*))
 ```
 
 
@@ -78,7 +79,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject IN ["*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll*", "*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser*", "*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*"])
+(event_id="13" TargetObject IN ["*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll*", "*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser*", "*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_registry_persistence_key_linking.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_registry_persistence_key_linking.md
new file mode 100644
index 0000000..718bdaa
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_registry_persistence_key_linking.md
@@ -0,0 +1,95 @@
+| Title                | Windows Registry Persistence - COM key linking                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | Detects COM object hijacking via TreatAs subkey                                                                                                                                           |
+| ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
+| ATT&amp;CK Technique | <ul><li>[T1122: Component Object Model Hijacking](https://attack.mitre.org/techniques/T1122)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              | <ul><li>[T1122: Component Object Model Hijacking](../Triggers/T1122.md)</li></ul>  |
+| Severity Level       | medium |
+| False Positives      | <ul><li>Maybe some system utilities in rare cases use linking keys for backward compability</li></ul>  |
+| Development Status   | experimental |
+| References           | <ul><li>[https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)</li></ul>  |
+| Author               | Kutepov Anton, oscd.community |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Windows Registry Persistence - COM key linking
+id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
+status: experimental
+description: Detects COM object hijacking via TreatAs subkey
+references:
+    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
+author: Kutepov Anton, oscd.community
+date: 2019/10/23
+modified: 2019/11/07
+tags:
+    - attack.persistence
+    - attack.t1122
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 12
+        TargetObject|startswith: 'HKU\'
+        TargetObject|contains: '_Classes\CLSID\'
+        TargetObject|endswith: '\TreatAs'
+    condition: selection
+falsepositives: 
+    - Maybe some system utilities in rare cases use linking keys for backward compability
+level: medium
+
+```
+
+
+
+
+
+### es-qs
+    
+```
+(EventID:"12" AND TargetObject:"HKU\\*" AND TargetObject.keyword:*_Classes\\\\CLSID\\* AND TargetObject.keyword:*\\\\TreatAs)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-Registry-Persistence---COM-key-linking <<EOF\n{\n  "metadata": {\n    "title": "Windows Registry Persistence - COM key linking",\n    "description": "Detects COM object hijacking via TreatAs subkey",\n    "tags": [\n      "attack.persistence",\n      "attack.t1122"\n    ],\n    "query": "(EventID:\\"12\\" AND TargetObject:\\"HKU\\\\*\\" AND TargetObject.keyword:*_Classes\\\\\\\\CLSID\\\\* AND TargetObject.keyword:*\\\\\\\\TreatAs)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"12\\" AND TargetObject:\\"HKU\\\\*\\" AND TargetObject.keyword:*_Classes\\\\\\\\CLSID\\\\* AND TargetObject.keyword:*\\\\\\\\TreatAs)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Windows Registry Persistence - COM key linking\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"12" AND TargetObject:"HKU\\*" AND TargetObject.keyword:*_Classes\\\\CLSID\\* AND TargetObject.keyword:*\\\\TreatAs)
+```
+
+
+### splunk
+    
+```
+(EventID="12" TargetObject="HKU\\*" TargetObject="*_Classes\\\\CLSID\\*" TargetObject="*\\\\TreatAs")
+```
+
+
+### logpoint
+    
+```
+(event_id="12" TargetObject="HKU\\*" TargetObject="*_Classes\\\\CLSID\\*" TargetObject="*\\\\TreatAs")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*12)(?=.*HKU\\.*)(?=.*.*_Classes\\CLSID\\.*)(?=.*.*\\TreatAs))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md
index 7e4528c..2b9d875 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_powershell.md
@@ -3,7 +3,7 @@
 | Description          | Detects the execution of a renamed PowerShell often used by attackers or malware                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://twitter.com/christophetd/status/1164506034720952320](https://twitter.com/christophetd/status/1164506034720952320)</li></ul>  |
 | Author               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-05-009</li><li>car.2013-05-009</li></ul> | 
+| Other Tags           | <ul><li>car.2013-05-009</li></ul> | 
 
 ## Detection Rules
 
@@ -19,8 +19,9 @@
 
 ```
 title: Renamed PowerShell
+id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20
 status: experimental
-description: Detects the execution of a renamed PowerShell often used by attackers or malware 
+description: Detects the execution of a renamed PowerShell often used by attackers or malware
 references:
     - https://twitter.com/christophetd/status/1164506034720952320
 author: Florian Roth
@@ -66,7 +67,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-((Description:"Windows PowerShell" AND Company:"Microsoft Corporation") AND NOT (Image:("*\\\\powershell.exe" "*\\\\powershell_ise.exe")))
+((Description:"Windows PowerShell" AND Company:"Microsoft Corporation") AND (NOT (Image.keyword:(*\\\\powershell.exe *\\\\powershell_ise.exe))))
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md
new file mode 100644
index 0000000..214992e
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_procdump.md
@@ -0,0 +1,96 @@
+| Title                | Renamed ProcDump                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | Detects the execution of a renamed ProcDump executable often used by attackers or malware                                                                                                                                           |
+| ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
+| ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
+| Severity Level       | critical |
+| False Positives      | <ul><li>Procdump illegaly bundled with legitimate software</li><li>Weird admins who renamed binaries</li></ul>  |
+| Development Status   | experimental |
+| References           | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)</li></ul>  |
+| Author               | Florian Roth |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Renamed ProcDump
+id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
+status: experimental
+description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
+author: Florian Roth
+date: 2019/11/18
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        OriginalFileName: 'procdump'
+    filter:
+        Image: 
+            - '*\procdump.exe'
+            - '*\procdump64.exe'
+    condition: selection and not filter
+falsepositives:
+    - Procdump illegaly bundled with legitimate software
+    - Weird admins who renamed binaries
+level: critical
+
+```
+
+
+
+
+
+### es-qs
+    
+```
+(OriginalFileName:"procdump" AND (NOT (Image.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-ProcDump <<EOF\n{\n  "metadata": {\n    "title": "Renamed ProcDump",\n    "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(OriginalFileName:\\"procdump\\" AND (NOT (Image.keyword:(*\\\\\\\\procdump.exe OR *\\\\\\\\procdump64.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(OriginalFileName:\\"procdump\\" AND (NOT (Image.keyword:(*\\\\\\\\procdump.exe OR *\\\\\\\\procdump64.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Renamed ProcDump\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(OriginalFileName:"procdump" AND (NOT (Image.keyword:(*\\\\procdump.exe *\\\\procdump64.exe))))
+```
+
+
+### splunk
+    
+```
+(OriginalFileName="procdump" NOT ((Image="*\\\\procdump.exe" OR Image="*\\\\procdump64.exe")))
+```
+
+
+### logpoint
+    
+```
+(OriginalFileName="procdump"  -(Image IN ["*\\\\procdump.exe", "*\\\\procdump64.exe"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*procdump)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\procdump\\.exe|.*.*\\procdump64\\.exe))))))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md
index 0d142ed..5765765 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_renamed_psexec.md
@@ -3,7 +3,7 @@
 | Description          | Detects the execution of a renamed PsExec often used by attackers or malware                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | high |
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks](https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks)</li></ul>  |
 | Author               | Florian Roth |
-| Other Tags           | <ul><li>car.2013-05-009</li><li>car.2013-05-009</li></ul> | 
+| Other Tags           | <ul><li>car.2013-05-009</li></ul> | 
 
 ## Detection Rules
 
@@ -19,8 +19,9 @@
 
 ```
 title: Renamed PsExec
+id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2
 status: experimental
-description: Detects the execution of a renamed PsExec often used by attackers or malware 
+description: Detects the execution of a renamed PsExec often used by attackers or malware
 references:
     - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
 author: Florian Roth
@@ -35,7 +36,9 @@ detection:
         Description: 'Execute processes remotely'
         Product: 'Sysinternals PsExec'
     filter:
-        Image: '*\PsExec.exe'
+        Image:
+           - '*\PsExec.exe'
+           - '*\PsExec64.exe'
     condition: selection and not filter
 falsepositives:
     - Software that illegaly integrates PsExec in a renamed form
@@ -51,42 +54,42 @@ level: high
 ### es-qs
     
 ```
-((Description:"Execute\\ processes\\ remotely" AND Product:"Sysinternals\\ PsExec") AND (NOT (Image.keyword:*\\\\PsExec.exe)))
+((Description:"Execute\\ processes\\ remotely" AND Product:"Sysinternals\\ PsExec") AND (NOT (Image.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-PsExec <<EOF\n{\n  "metadata": {\n    "title": "Renamed PsExec",\n    "description": "Detects the execution of a renamed PsExec often used by attackers or malware",\n    "tags": [\n      "car.2013-05-009"\n    ],\n    "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:*\\\\\\\\PsExec.exe)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:*\\\\\\\\PsExec.exe)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Renamed PsExec\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-PsExec <<EOF\n{\n  "metadata": {\n    "title": "Renamed PsExec",\n    "description": "Detects the execution of a renamed PsExec often used by attackers or malware",\n    "tags": [\n      "car.2013-05-009"\n    ],\n    "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:(*\\\\\\\\PsExec.exe OR *\\\\\\\\PsExec64.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Description:\\"Execute\\\\ processes\\\\ remotely\\" AND Product:\\"Sysinternals\\\\ PsExec\\") AND (NOT (Image.keyword:(*\\\\\\\\PsExec.exe OR *\\\\\\\\PsExec64.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Renamed PsExec\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-((Description:"Execute processes remotely" AND Product:"Sysinternals PsExec") AND NOT (Image:"*\\\\PsExec.exe"))
+((Description:"Execute processes remotely" AND Product:"Sysinternals PsExec") AND (NOT (Image.keyword:(*\\\\PsExec.exe *\\\\PsExec64.exe))))
 ```
 
 
 ### splunk
     
 ```
-((Description="Execute processes remotely" Product="Sysinternals PsExec") NOT (Image="*\\\\PsExec.exe"))
+((Description="Execute processes remotely" Product="Sysinternals PsExec") NOT ((Image="*\\\\PsExec.exe" OR Image="*\\\\PsExec64.exe")))
 ```
 
 
 ### logpoint
     
 ```
-((Description="Execute processes remotely" Product="Sysinternals PsExec")  -(Image="*\\\\PsExec.exe"))
+((Description="Execute processes remotely" Product="Sysinternals PsExec")  -(Image IN ["*\\\\PsExec.exe", "*\\\\PsExec64.exe"]))
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*(?:.*(?=.*Execute processes remotely)(?=.*Sysinternals PsExec)))(?=.*(?!.*(?:.*(?=.*.*\\PsExec\\.exe)))))'
+grep -P '^(?:.*(?=.*(?:.*(?=.*Execute processes remotely)(?=.*Sysinternals PsExec)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\PsExec\\.exe|.*.*\\PsExec64\\.exe))))))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md
index b9fbc2a..6a51f57 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_rundll32_net_connections.md
@@ -19,6 +19,7 @@
 
 ```
 title: Rundll32 Internet Connection
+id: cdc8da7d-c303-42f8-b08c-b4ab47230263
 status: experimental
 description: Detects a rundll32 that communicates with public IP addresses
 references:
@@ -36,6 +37,7 @@ detection:
     selection:
         EventID: 3
         Image: '*\rundll32.exe'
+        Initiated: 'true'
     filter:
         DestinationIp: 
             - '10.*'
@@ -71,42 +73,42 @@ level: medium
 ### es-qs
     
 ```
-((EventID:"3" AND Image.keyword:*\\\\rundll32.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
+((EventID:"3" AND Image.keyword:*\\\\rundll32.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rundll32-Internet-Connection <<EOF\n{\n  "metadata": {\n    "title": "Rundll32 Internet Connection",\n    "description": "Detects a rundll32 that communicates with public IP addresses",\n    "tags": [\n      "attack.t1085",\n      "attack.defense_evasion",\n      "attack.execution"\n    ],\n    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe) AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Rundll32 Internet Connection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rundll32-Internet-Connection <<EOF\n{\n  "metadata": {\n    "title": "Rundll32 Internet Connection",\n    "description": "Detects a rundll32 that communicates with public IP addresses",\n    "tags": [\n      "attack.t1085",\n      "attack.defense_evasion",\n      "attack.execution"\n    ],\n    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND Image.keyword:*\\\\\\\\rundll32.exe AND Initiated:\\"true\\") AND (NOT (DestinationIp.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Rundll32 Internet Connection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-((EventID:"3" AND Image:"*\\\\rundll32.exe") AND NOT (DestinationIp:("10.*" "192.168.*" "172.16.*" "172.17.*" "172.18.*" "172.19.*" "172.20.*" "172.21.*" "172.22.*" "172.23.*" "172.24.*" "172.25.*" "172.26.*" "172.27.*" "172.28.*" "172.29.*" "172.30.*" "172.31.*" "127.*")))
+((EventID:"3" AND Image.keyword:*\\\\rundll32.exe AND Initiated:"true") AND (NOT (DestinationIp.keyword:(10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 127.*))))
 ```
 
 
 ### splunk
     
 ```
-((EventID="3" Image="*\\\\rundll32.exe") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*")))
+((EventID="3" Image="*\\\\rundll32.exe" Initiated="true") NOT ((DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="127.*")))
 ```
 
 
 ### logpoint
     
 ```
-((EventID="3" Image="*\\\\rundll32.exe")  -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"]))
+((event_id="3" Image="*\\\\rundll32.exe" Initiated="true")  -(DestinationIp IN ["10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "127.*"]))
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\rundll32\\.exe)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))))))'
+grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*.*\\rundll32\\.exe)(?=.*true)))(?=.*(?!.*(?:.*(?=.*(?:.*10\\..*|.*192\\.168\\..*|.*172\\.16\\..*|.*172\\.17\\..*|.*172\\.18\\..*|.*172\\.19\\..*|.*172\\.20\\..*|.*172\\.21\\..*|.*172\\.22\\..*|.*172\\.23\\..*|.*172\\.24\\..*|.*172\\.25\\..*|.*172\\.26\\..*|.*172\\.27\\..*|.*172\\.28\\..*|.*172\\.29\\..*|.*172\\.30\\..*|.*172\\.31\\..*|.*127\\..*))))))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md
index da9f358..0f3cc68 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_ssp_added_lsa_config.md
@@ -19,8 +19,9 @@
 
 ```
 title: Security Support Provider (SSP) added to LSA configuration
+id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
 status: experimental
-description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. 
+description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
 references:
     - https://attack.mitre.org/techniques/T1101/
     - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
@@ -70,7 +71,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-((EventID:"13" AND TargetObject:("HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages" "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages")) AND NOT (Image:"C\\:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image:"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
+((EventID:"13" AND TargetObject:("HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages" "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages")) AND (NOT (Image:"C\\:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image:"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe")))
 ```
 
 
@@ -84,7 +85,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-((EventID="13" TargetObject IN ["HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages", "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages"])  -(Image="C:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
+((event_id="13" TargetObject IN ["HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages", "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages"])  -(Image="C:\\\\Windows\\\\system32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\syswow64\\\\MsiExec.exe"))
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md
index 6ab30d2..23be5c2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_stickykey_like_backdoor.md
@@ -11,17 +11,18 @@
 | Development Status   |  Development Status wasn't defined for this Detection Rule yet  |
 | References           | <ul><li>[https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/](https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/)</li></ul>  |
 | Author               | Florian Roth, @twjackomo |
-| Other Tags           | <ul><li>car.2014-11-003</li><li>car.2014-11-003</li><li>car.2014-11-008</li><li>car.2014-11-008</li></ul> | 
+| Other Tags           | <ul><li>car.2014-11-003</li><li>car.2014-11-008</li></ul> | 
 
 ## Detection Rules
 
 ### Sigma rule
 
 ```
----
 action: global
 title: Sticky Key Like Backdoor Usage
-description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
+id: baca5663-583c-45f9-b5dc-ea96a22ce542
+description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
+    screen
 references:
     - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
 tags:
@@ -91,7 +92,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger") AND EventType:"SetValue")\n(ParentImage:("*\\\\winlogon.exe") AND CommandLine:("*cmd.exe sethc.exe *" "*cmd.exe utilman.exe *" "*cmd.exe osk.exe *" "*cmd.exe Magnify.exe *" "*cmd.exe Narrator.exe *" "*cmd.exe DisplaySwitch.exe *"))
+(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger) AND EventType:"SetValue")\n(ParentImage.keyword:(*\\\\winlogon.exe) AND CommandLine.keyword:(*cmd.exe sethc.exe * *cmd.exe utilman.exe * *cmd.exe osk.exe * *cmd.exe Magnify.exe * *cmd.exe Narrator.exe * *cmd.exe DisplaySwitch.exe *))
 ```
 
 
@@ -105,7 +106,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger"] EventType="SetValue")\n(ParentImage IN ["*\\\\winlogon.exe"] CommandLine IN ["*cmd.exe sethc.exe *", "*cmd.exe utilman.exe *", "*cmd.exe osk.exe *", "*cmd.exe Magnify.exe *", "*cmd.exe Narrator.exe *", "*cmd.exe DisplaySwitch.exe *"])
+(event_id="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger"] EventType="SetValue")\n(event_id="1" ParentImage IN ["*\\\\winlogon.exe"] CommandLine IN ["*cmd.exe sethc.exe *", "*cmd.exe utilman.exe *", "*cmd.exe osk.exe *", "*cmd.exe Magnify.exe *", "*cmd.exe Narrator.exe *", "*cmd.exe DisplaySwitch.exe *"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md
new file mode 100644
index 0000000..7f40cb1
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_download_run_key.md
@@ -0,0 +1,95 @@
+| Title                | Suspicious RUN Key from Download                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories                                                                                                                                           |
+| ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
+| ATT&amp;CK Technique | <ul><li>[T1060: Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1060)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              | <ul><li>[T1060: Registry Run Keys / Startup Folder](../Triggers/T1060.md)</li></ul>  |
+| Severity Level       | high |
+| False Positives      | <ul><li>Software installers downloaded and used by users</li></ul>  |
+| Development Status   | experimental |
+| References           | <ul><li>[https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/](https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/)</li></ul>  |
+| Author               | Florian Roth |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Suspicious RUN Key from Download
+id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
+status: experimental
+description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
+references:
+    - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
+author: Florian Roth
+date: 2019/10/01
+tags:
+    - attack.persistence
+    - attack.t1060
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        Image: 
+            - '*\Downloads\\*'
+            - '*\Temporary Internet Files\Content.Outlook\\*'
+            - '*\Local Settings\Temporary Internet Files\\*'
+        TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+    condition: selection
+falsepositives:
+    - Software installers downloaded and used by users
+level: high
+```
+
+
+
+
+
+### es-qs
+    
+```
+(EventID:"13" AND Image.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-RUN-Key-from-Download <<EOF\n{\n  "metadata": {\n    "title": "Suspicious RUN Key from Download",\n    "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories",\n    "tags": [\n      "attack.persistence",\n      "attack.t1060"\n    ],\n    "query": "(EventID:\\"13\\" AND Image.keyword:(*\\\\\\\\Downloads\\\\\\\\* OR *\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\Content.Outlook\\\\\\\\* OR *\\\\\\\\Local\\\\ Settings\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\*) AND TargetObject.keyword:*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND Image.keyword:(*\\\\\\\\Downloads\\\\\\\\* OR *\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\Content.Outlook\\\\\\\\* OR *\\\\\\\\Local\\\\ Settings\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\*) AND TargetObject.keyword:*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious RUN Key from Download\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"13" AND Image.keyword:(*\\\\Downloads\\\\* *\\\\Temporary Internet Files\\\\Content.Outlook\\\\* *\\\\Local Settings\\\\Temporary Internet Files\\\\*) AND TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)
+```
+
+
+### splunk
+    
+```
+(EventID="13" (Image="*\\\\Downloads\\\\*" OR Image="*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*" OR Image="*\\\\Local Settings\\\\Temporary Internet Files\\\\*") TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*")
+```
+
+
+### logpoint
+    
+```
+(event_id="13" Image IN ["*\\\\Downloads\\\\*", "*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*", "*\\\\Local Settings\\\\Temporary Internet Files\\\\*"] TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\Downloads\\\\.*|.*.*\\Temporary Internet Files\\Content\\.Outlook\\\\.*|.*.*\\Local Settings\\Temporary Internet Files\\\\.*))(?=.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md
index ad3b149..2079d2d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_driver_load.md
@@ -19,11 +19,12 @@
 
 ```
 title: Suspicious Driver Load from Temp
+id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
 description: Detects a driver load from a temporary directory
 author: Florian Roth
-tags: 
-  - attack.persistence
-  - attack.t1050
+tags:
+    - attack.persistence
+    - attack.t1050
 logsource:
     product: windows
     service: sysmon
@@ -59,7 +60,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"6" AND ImageLoaded:"*\\\\Temp\\\\*")
+(EventID:"6" AND ImageLoaded.keyword:*\\\\Temp\\\\*)
 ```
 
 
@@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="6" ImageLoaded="*\\\\Temp\\\\*")
+(event_id="6" ImageLoaded="*\\\\Temp\\\\*")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md
index 89526e9..675dccf 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_file_characteristics.md
@@ -3,10 +3,10 @@
 | Description          | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul>  |
-| Severity Level       | high |
+| Severity Level       | medium |
 | False Positives      | <ul><li>Unknown</li></ul>  |
 | Development Status   | experimental |
 | References           | <ul><li>[https://securelist.com/muddywater/88059/](https://securelist.com/muddywater/88059/)</li><li>[https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection](https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection)</li></ul>  |
@@ -19,6 +19,7 @@
 
 ```
 title: Suspicious File Characteristics due to Missing Fields
+id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
 description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
 status: experimental
 references:
@@ -26,6 +27,7 @@ references:
     - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
 author: Markus Neis
 date: 2018/11/22
+modified: 2019/11/09
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -49,7 +51,7 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Unknown
-level: high
+level: medium
 
 ```
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md
index 6f1408f..f04a6b7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_image_load.md
@@ -18,7 +18,8 @@
 ### Sigma rule
 
 ```
-title: Possible Process Hollowing Image Loading 
+title: Possible Process Hollowing Image Loading
+id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
 status: experimental
 description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
 references:
@@ -67,7 +68,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"7" AND Image:("*\\\\notepad.exe") AND ImageLoaded:("*\\\\samlib.dll" "*\\\\WinSCard.dll"))
+(EventID:"7" AND Image.keyword:(*\\\\notepad.exe) AND ImageLoaded.keyword:(*\\\\samlib.dll *\\\\WinSCard.dll))
 ```
 
 
@@ -81,7 +82,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="7" Image IN ["*\\\\notepad.exe"] ImageLoaded IN ["*\\\\samlib.dll", "*\\\\WinSCard.dll"])
+(event_id="7" Image IN ["*\\\\notepad.exe"] ImageLoaded IN ["*\\\\samlib.dll", "*\\\\WinSCard.dll"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md
new file mode 100644
index 0000000..dba708f
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_lsass_dll_load.md
@@ -0,0 +1,98 @@
+| Title                | DLL Load via LSASS                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | Detects a method to load DLL via LSASS process using an undocumented Registry key                                                                                                                                           |
+| ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
+| ATT&amp;CK Technique | <ul><li>[T1177: LSASS Driver](https://attack.mitre.org/techniques/T1177)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              | <ul><li>[T1177: LSASS Driver](../Triggers/T1177.md)</li></ul>  |
+| Severity Level       | high |
+| False Positives      | <ul><li>Unknown</li></ul>  |
+| Development Status   | experimental |
+| References           | <ul><li>[https://blog.xpnsec.com/exploring-mimikatz-part-1/](https://blog.xpnsec.com/exploring-mimikatz-part-1/)</li><li>[https://twitter.com/SBousseaden/status/1183745981189427200](https://twitter.com/SBousseaden/status/1183745981189427200)</li></ul>  |
+| Author               | Florian Roth |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: DLL Load via LSASS
+id: b3503044-60ce-4bf4-bbcb-e3db98788823
+status: experimental
+description: Detects a method to load DLL via LSASS process using an undocumented Registry key
+author: Florian Roth
+date: 2019/10/16
+references:
+    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
+    - https://twitter.com/SBousseaden/status/1183745981189427200
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID:
+            - 12 
+            - 13
+        TargetObject: 
+            - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
+            - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
+    condition: selection
+tags:
+    - attack.execution
+    - attack.t1177
+falsepositives:
+    - Unknown
+level: high
+
+
+```
+
+
+
+
+
+### es-qs
+    
+```
+(EventID:("12" OR "13") AND TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/DLL-Load-via-LSASS <<EOF\n{\n  "metadata": {\n    "title": "DLL Load via LSASS",\n    "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key",\n    "tags": [\n      "attack.execution",\n      "attack.t1177"\n    ],\n    "query": "(EventID:(\\"12\\" OR \\"13\\") AND TargetObject.keyword:(*\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\DirectoryServiceExtPt* OR *\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\LsaDbExtPt*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"12\\" OR \\"13\\") AND TargetObject.keyword:(*\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\DirectoryServiceExtPt* OR *\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\NTDS\\\\\\\\LsaDbExtPt*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'DLL Load via LSASS\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("12" "13") AND TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))
+```
+
+
+### splunk
+    
+```
+((EventID="12" OR EventID="13") (TargetObject="*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt*" OR TargetObject="*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*"))
+```
+
+
+### logpoint
+    
+```
+(event_id IN ["12", "13"] TargetObject IN ["*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt*", "*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*12|.*13))(?=.*(?:.*.*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt.*|.*.*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt.*)))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
index d59dc04..78cf14b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_powershell_rundll32.md
@@ -19,8 +19,9 @@
 
 ```
 title: PowerShell Rundll32 Remote Thread Creation
+id: 99b97608-3e21-4bfe-8217-2a127c396a0e
 status: experimental
-description: Detects PowerShell remote thread creation in Rundll32.exe 
+description: Detects PowerShell remote thread creation in Rundll32.exe
 author: Florian Roth
 references:
     - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
@@ -66,7 +67,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"8" AND SourceImage:"*\\\\powershell.exe" AND TargetImage:"*\\\\rundll32.exe")
+(EventID:"8" AND SourceImage.keyword:*\\\\powershell.exe AND TargetImage.keyword:*\\\\rundll32.exe)
 ```
 
 
@@ -80,7 +81,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
+(event_id="8" SourceImage="*\\\\powershell.exe" TargetImage="*\\\\rundll32.exe")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md
index ca57a6c..bcb2fc3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_prog_location_network_connection.md
@@ -19,6 +19,7 @@
 
 ```
 title: Suspicious Program Location with Network Connections
+id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 status: experimental
 description: Detects programs with network connections running in suspicious files system locations
 references:
@@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"3" AND Image:("*\\\\$Recycle.bin" "*\\\\Users\\\\All Users\\\\*" "*\\\\Users\\\\Default\\\\*" "*\\\\Users\\\\Public\\\\*" "*\\\\Users\\\\Contacts\\\\*" "*\\\\Users\\\\Searches\\\\*" "C\\:\\\\Perflogs\\\\*" "*\\\\config\\\\systemprofile\\\\*" "*\\\\Windows\\\\Fonts\\\\*" "*\\\\Windows\\\\IME\\\\*" "*\\\\Windows\\\\addins\\\\*"))
+(EventID:"3" AND Image.keyword:(*\\\\$Recycle.bin *\\\\Users\\\\All Users\\\\* *\\\\Users\\\\Default\\\\* *\\\\Users\\\\Public\\\\* *\\\\Users\\\\Contacts\\\\* *\\\\Users\\\\Searches\\\\* C\\:\\\\Perflogs\\\\* *\\\\config\\\\systemprofile\\\\* *\\\\Windows\\\\Fonts\\\\* *\\\\Windows\\\\IME\\\\* *\\\\Windows\\\\addins\\\\*))
 ```
 
 
@@ -87,7 +88,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="3" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\All Users\\\\*", "*\\\\Users\\\\Default\\\\*", "*\\\\Users\\\\Public\\\\*", "*\\\\Users\\\\Contacts\\\\*", "*\\\\Users\\\\Searches\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\config\\\\systemprofile\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*"])
+(event_id="3" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\All Users\\\\*", "*\\\\Users\\\\Default\\\\*", "*\\\\Users\\\\Public\\\\*", "*\\\\Users\\\\Contacts\\\\*", "*\\\\Users\\\\Searches\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\config\\\\systemprofile\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md
index 830fa3c..e904556 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_rdp.md
@@ -11,19 +11,20 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)</li></ul>  |
 | Author               | Markus Neis - Swisscom |
-| Other Tags           | <ul><li>car.2013-07-002</li><li>car.2013-07-002</li></ul> | 
+| Other Tags           | <ul><li>car.2013-07-002</li></ul> | 
 
 ## Detection Rules
 
 ### Sigma rule
 
 ```
-title: Suspicious Outbound RDP Connections 
+title: Suspicious Outbound RDP Connections
+id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
 status: experimental
 description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
 references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
-author: Markus Neis - Swisscom 
+author: Markus Neis - Swisscom
 date: 2019/05/15
 tags:
     - attack.lateral_movement
@@ -35,7 +36,8 @@ logsource:
 detection:
     selection:
         EventID: 3
-        DestinationPort: 3389 
+        DestinationPort: 3389
+        Initiated: 'true'
     filter:
         Image:
             - '*\mstsc.exe'
@@ -71,42 +73,42 @@ level: high
 ### es-qs
     
 ```
-((EventID:"3" AND DestinationPort:"3389") AND (NOT (Image.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))
+((EventID:"3" AND DestinationPort:"3389" AND Initiated:"true") AND (NOT (Image.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Outbound-RDP-Connections <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Outbound RDP Connections",\n    "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1210",\n      "car.2013-07-002"\n    ],\n    "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Outbound RDP Connections\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Outbound-RDP-Connections <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Outbound RDP Connections",\n    "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1210",\n      "car.2013-07-002"\n    ],\n    "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\" AND Initiated:\\"true\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"3\\" AND DestinationPort:\\"3389\\" AND Initiated:\\"true\\") AND (NOT (Image.keyword:(*\\\\\\\\mstsc.exe OR *\\\\\\\\RTSApp.exe OR *\\\\\\\\RTS2App.exe OR *\\\\\\\\RDCMan.exe OR *\\\\\\\\ws_TunnelService.exe OR *\\\\\\\\RSSensor.exe OR *\\\\\\\\RemoteDesktopManagerFree.exe OR *\\\\\\\\RemoteDesktopManager.exe OR *\\\\\\\\RemoteDesktopManager64.exe OR *\\\\\\\\mRemoteNG.exe OR *\\\\\\\\mRemote.exe OR *\\\\\\\\Terminals.exe OR *\\\\\\\\spiceworks\\\\-finder.exe OR *\\\\\\\\FSDiscovery.exe OR *\\\\\\\\FSAssessment.exe OR *\\\\\\\\MobaRTE.exe OR *\\\\\\\\chrome.exe OR *\\\\\\\\thor.exe OR *\\\\\\\\thor64.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Outbound RDP Connections\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-((EventID:"3" AND DestinationPort:"3389") AND NOT (Image:("*\\\\mstsc.exe" "*\\\\RTSApp.exe" "*\\\\RTS2App.exe" "*\\\\RDCMan.exe" "*\\\\ws_TunnelService.exe" "*\\\\RSSensor.exe" "*\\\\RemoteDesktopManagerFree.exe" "*\\\\RemoteDesktopManager.exe" "*\\\\RemoteDesktopManager64.exe" "*\\\\mRemoteNG.exe" "*\\\\mRemote.exe" "*\\\\Terminals.exe" "*\\\\spiceworks\\-finder.exe" "*\\\\FSDiscovery.exe" "*\\\\FSAssessment.exe" "*\\\\MobaRTE.exe" "*\\\\chrome.exe" "*\\\\thor.exe" "*\\\\thor64.exe")))
+((EventID:"3" AND DestinationPort:"3389" AND Initiated:"true") AND (NOT (Image.keyword:(*\\\\mstsc.exe *\\\\RTSApp.exe *\\\\RTS2App.exe *\\\\RDCMan.exe *\\\\ws_TunnelService.exe *\\\\RSSensor.exe *\\\\RemoteDesktopManagerFree.exe *\\\\RemoteDesktopManager.exe *\\\\RemoteDesktopManager64.exe *\\\\mRemoteNG.exe *\\\\mRemote.exe *\\\\Terminals.exe *\\\\spiceworks\\-finder.exe *\\\\FSDiscovery.exe *\\\\FSAssessment.exe *\\\\MobaRTE.exe *\\\\chrome.exe *\\\\thor.exe *\\\\thor64.exe))))
 ```
 
 
 ### splunk
     
 ```
-((EventID="3" DestinationPort="3389") NOT ((Image="*\\\\mstsc.exe" OR Image="*\\\\RTSApp.exe" OR Image="*\\\\RTS2App.exe" OR Image="*\\\\RDCMan.exe" OR Image="*\\\\ws_TunnelService.exe" OR Image="*\\\\RSSensor.exe" OR Image="*\\\\RemoteDesktopManagerFree.exe" OR Image="*\\\\RemoteDesktopManager.exe" OR Image="*\\\\RemoteDesktopManager64.exe" OR Image="*\\\\mRemoteNG.exe" OR Image="*\\\\mRemote.exe" OR Image="*\\\\Terminals.exe" OR Image="*\\\\spiceworks-finder.exe" OR Image="*\\\\FSDiscovery.exe" OR Image="*\\\\FSAssessment.exe" OR Image="*\\\\MobaRTE.exe" OR Image="*\\\\chrome.exe" OR Image="*\\\\thor.exe" OR Image="*\\\\thor64.exe")))
+((EventID="3" DestinationPort="3389" Initiated="true") NOT ((Image="*\\\\mstsc.exe" OR Image="*\\\\RTSApp.exe" OR Image="*\\\\RTS2App.exe" OR Image="*\\\\RDCMan.exe" OR Image="*\\\\ws_TunnelService.exe" OR Image="*\\\\RSSensor.exe" OR Image="*\\\\RemoteDesktopManagerFree.exe" OR Image="*\\\\RemoteDesktopManager.exe" OR Image="*\\\\RemoteDesktopManager64.exe" OR Image="*\\\\mRemoteNG.exe" OR Image="*\\\\mRemote.exe" OR Image="*\\\\Terminals.exe" OR Image="*\\\\spiceworks-finder.exe" OR Image="*\\\\FSDiscovery.exe" OR Image="*\\\\FSAssessment.exe" OR Image="*\\\\MobaRTE.exe" OR Image="*\\\\chrome.exe" OR Image="*\\\\thor.exe" OR Image="*\\\\thor64.exe")))
 ```
 
 
 ### logpoint
     
 ```
-((EventID="3" DestinationPort="3389")  -(Image IN ["*\\\\mstsc.exe", "*\\\\RTSApp.exe", "*\\\\RTS2App.exe", "*\\\\RDCMan.exe", "*\\\\ws_TunnelService.exe", "*\\\\RSSensor.exe", "*\\\\RemoteDesktopManagerFree.exe", "*\\\\RemoteDesktopManager.exe", "*\\\\RemoteDesktopManager64.exe", "*\\\\mRemoteNG.exe", "*\\\\mRemote.exe", "*\\\\Terminals.exe", "*\\\\spiceworks-finder.exe", "*\\\\FSDiscovery.exe", "*\\\\FSAssessment.exe", "*\\\\MobaRTE.exe", "*\\\\chrome.exe", "*\\\\thor.exe", "*\\\\thor64.exe"]))
+((event_id="3" DestinationPort="3389" Initiated="true")  -(Image IN ["*\\\\mstsc.exe", "*\\\\RTSApp.exe", "*\\\\RTS2App.exe", "*\\\\RDCMan.exe", "*\\\\ws_TunnelService.exe", "*\\\\RSSensor.exe", "*\\\\RemoteDesktopManagerFree.exe", "*\\\\RemoteDesktopManager.exe", "*\\\\RemoteDesktopManager64.exe", "*\\\\mRemoteNG.exe", "*\\\\mRemote.exe", "*\\\\Terminals.exe", "*\\\\spiceworks-finder.exe", "*\\\\FSDiscovery.exe", "*\\\\FSAssessment.exe", "*\\\\MobaRTE.exe", "*\\\\chrome.exe", "*\\\\thor.exe", "*\\\\thor64.exe"]))
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*3389)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\mstsc\\.exe|.*.*\\RTSApp\\.exe|.*.*\\RTS2App\\.exe|.*.*\\RDCMan\\.exe|.*.*\\ws_TunnelService\\.exe|.*.*\\RSSensor\\.exe|.*.*\\RemoteDesktopManagerFree\\.exe|.*.*\\RemoteDesktopManager\\.exe|.*.*\\RemoteDesktopManager64\\.exe|.*.*\\mRemoteNG\\.exe|.*.*\\mRemote\\.exe|.*.*\\Terminals\\.exe|.*.*\\spiceworks-finder\\.exe|.*.*\\FSDiscovery\\.exe|.*.*\\FSAssessment\\.exe|.*.*\\MobaRTE\\.exe|.*.*\\chrome\\.exe|.*.*\\thor\\.exe|.*.*\\thor64\\.exe))))))'
+grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*3389)(?=.*true)))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\mstsc\\.exe|.*.*\\RTSApp\\.exe|.*.*\\RTS2App\\.exe|.*.*\\RDCMan\\.exe|.*.*\\ws_TunnelService\\.exe|.*.*\\RSSensor\\.exe|.*.*\\RemoteDesktopManagerFree\\.exe|.*.*\\RemoteDesktopManager\\.exe|.*.*\\RemoteDesktopManager64\\.exe|.*.*\\mRemoteNG\\.exe|.*.*\\mRemote\\.exe|.*.*\\Terminals\\.exe|.*.*\\spiceworks-finder\\.exe|.*.*\\FSDiscovery\\.exe|.*.*\\FSAssessment\\.exe|.*.*\\MobaRTE\\.exe|.*.*\\chrome\\.exe|.*.*\\thor\\.exe|.*.*\\thor64\\.exe))))))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_reg_persist_explorer_run.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_reg_persist_explorer_run.md
index f371dd4..59e32dc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_reg_persist_explorer_run.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_reg_persist_explorer_run.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/](https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/)</li></ul>  |
 | Author               | Florian Roth |
-| Other Tags           | <ul><li>capec.270</li><li>capec.270</li></ul> | 
+| Other Tags           | <ul><li>capec.270</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: Registry Persistence via Explorer Run Key
+id: b7916c2a-fa2f-4795-9477-32b731f70f11
 status: experimental
 description: Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder
 author: Florian Roth
@@ -76,7 +77,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" AND Details:("C\\:\\\\Windows\\\\Temp\\\\*" "C\\:\\\\ProgramData\\\\*" "*\\\\AppData\\\\*" "C\\:\\\\$Recycle.bin\\\\*" "C\\:\\\\Temp\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*"))
+(EventID:"13" AND TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* C\\:\\\\ProgramData\\\\* *\\\\AppData\\\\* C\\:\\\\$Recycle.bin\\\\* C\\:\\\\Temp\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\Default\\\\*))
 ```
 
 
@@ -90,7 +91,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject="*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" Details IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\ProgramData\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*"])
+(event_id="13" TargetObject="*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run" Details IN ["C:\\\\Windows\\\\Temp\\\\*", "C:\\\\ProgramData\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md
index 21cc04d..9f224a8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md
@@ -19,6 +19,7 @@
 
 ```
 title: New RUN Key Pointing to Suspicious Folder
+id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
 status: experimental
 description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
 references:
@@ -28,6 +29,7 @@ tags:
     - attack.persistence
     - attack.t1060
 date: 2018/25/08
+modified: 2019/10/01
 logsource:
     product: windows
     service: sysmon
@@ -38,13 +40,17 @@ detection:
           - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
           - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
         Details:
-          - 'C:\Windows\Temp\\*'
+          - '*C:\Windows\Temp\\*'
           - '*\AppData\\*'
-          - 'C:\$Recycle.bin\\*'
-          - 'C:\Temp\\*'
-          - 'C:\Users\Public\\*'
-          - 'C:\Users\Default\\*'
-          - 'C:\Users\Desktop\\*'
+          - '%AppData%\\*'
+          - '*C:\$Recycle.bin\\*'
+          - '*C:\Temp\\*'
+          - '*C:\Users\Public\\*'
+          - '%Public%\\*'
+          - '*C:\Users\Default\\*'
+          - '*C:\Users\Desktop\\*'
+          - 'wscript*'
+          - 'cscript*'
     condition: selection
 fields:
     - Image
@@ -61,42 +67,42 @@ level: high
 ### es-qs
     
 ```
-(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Desktop\\\\*))
+(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*))
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/New-RUN-Key-Pointing-to-Suspicious-Folder <<EOF\n{\n  "metadata": {\n    "title": "New RUN Key Pointing to Suspicious Folder",\n    "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder",\n    "tags": [\n      "attack.persistence",\n      "attack.t1060"\n    ],\n    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR C\\\\:\\\\\\\\Temp\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'New RUN Key Pointing to Suspicious Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nImage = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/New-RUN-Key-Pointing-to-Suspicious-Folder <<EOF\n{\n  "metadata": {\n    "title": "New RUN Key Pointing to Suspicious Folder",\n    "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder",\n    "tags": [\n      "attack.persistence",\n      "attack.t1060"\n    ],\n    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(*C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR %AppData%\\\\\\\\* OR *C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR *C\\\\:\\\\\\\\Temp\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR %Public%\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\* OR wscript* OR cscript*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\* OR *\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*) AND Details.keyword:(*C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\* OR %AppData%\\\\\\\\* OR *C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR *C\\\\:\\\\\\\\Temp\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR %Public%\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *C\\\\:\\\\\\\\Users\\\\\\\\Desktop\\\\\\\\* OR wscript* OR cscript*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'New RUN Key Pointing to Suspicious Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nImage = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") AND Details:("C\\:\\\\Windows\\\\Temp\\\\*" "*\\\\AppData\\\\*" "C\\:\\\\$Recycle.bin\\\\*" "C\\:\\\\Temp\\\\*" "C\\:\\\\Users\\\\Public\\\\*" "C\\:\\\\Users\\\\Default\\\\*" "C\\:\\\\Users\\\\Desktop\\\\*"))
+(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* *\\\\AppData\\\\* %AppData%\\\\* *C\\:\\\\$Recycle.bin\\\\* *C\\:\\\\Temp\\\\* *C\\:\\\\Users\\\\Public\\\\* %Public%\\\\* *C\\:\\\\Users\\\\Default\\\\* *C\\:\\\\Users\\\\Desktop\\\\* wscript* cscript*))
 ```
 
 
 ### splunk
     
 ```
-(EventID="13" (TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") (Details="C:\\\\Windows\\\\Temp\\\\*" OR Details="*\\\\AppData\\\\*" OR Details="C:\\\\$Recycle.bin\\\\*" OR Details="C:\\\\Temp\\\\*" OR Details="C:\\\\Users\\\\Public\\\\*" OR Details="C:\\\\Users\\\\Default\\\\*" OR Details="C:\\\\Users\\\\Desktop\\\\*")) | table Image
+(EventID="13" (TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*" OR TargetObject="*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*") (Details="*C:\\\\Windows\\\\Temp\\\\*" OR Details="*\\\\AppData\\\\*" OR Details="%AppData%\\\\*" OR Details="*C:\\\\$Recycle.bin\\\\*" OR Details="*C:\\\\Temp\\\\*" OR Details="*C:\\\\Users\\\\Public\\\\*" OR Details="%Public%\\\\*" OR Details="*C:\\\\Users\\\\Default\\\\*" OR Details="*C:\\\\Users\\\\Desktop\\\\*" OR Details="wscript*" OR Details="cscript*")) | table Image
 ```
 
 
 ### logpoint
     
 ```
-(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"] Details IN ["C:\\\\Windows\\\\Temp\\\\*", "*\\\\AppData\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Temp\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\Default\\\\*", "C:\\\\Users\\\\Desktop\\\\*"])
+(event_id="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*"] Details IN ["*C:\\\\Windows\\\\Temp\\\\*", "*\\\\AppData\\\\*", "%AppData%\\\\*", "*C:\\\\$Recycle.bin\\\\*", "*C:\\\\Temp\\\\*", "*C:\\\\Users\\\\Public\\\\*", "%Public%\\\\*", "*C:\\\\Users\\\\Default\\\\*", "*C:\\\\Users\\\\Desktop\\\\*", "wscript*", "cscript*"])
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*|.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\.*))(?=.*(?:.*C:\\Windows\\Temp\\\\.*|.*.*\\AppData\\\\.*|.*C:\\\\$Recycle\\.bin\\\\.*|.*C:\\Temp\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\Default\\\\.*|.*C:\\Users\\Desktop\\\\.*)))'
+grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\.*|.*.*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\.*))(?=.*(?:.*.*C:\\Windows\\Temp\\\\.*|.*.*\\AppData\\\\.*|.*%AppData%\\\\.*|.*.*C:\\\\$Recycle\\.bin\\\\.*|.*.*C:\\Temp\\\\.*|.*.*C:\\Users\\Public\\\\.*|.*%Public%\\\\.*|.*.*C:\\Users\\Default\\\\.*|.*.*C:\\Users\\Desktop\\\\.*|.*wscript.*|.*cscript.*)))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_keyboard_layout_load.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_keyboard_layout_load.md
new file mode 100644
index 0000000..08ab988
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_keyboard_layout_load.md
@@ -0,0 +1,98 @@
+| Title                | Suspicious Keyboard Layout Load                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only                                                                                                                                           |
+| ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
+| ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
+| Data Needed          | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              |  There is no documented Trigger for this Detection Rule yet  |
+| Severity Level       | medium |
+| False Positives      | <ul><li>Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)</li></ul>  |
+| Development Status   |  Development Status wasn't defined for this Detection Rule yet  |
+| References           | <ul><li>[https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index](https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index)</li><li>[https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files](https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files)</li></ul>  |
+| Author               | Florian Roth |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Suspicious Keyboard Layout Load
+id: 34aa0252-6039-40ff-951f-939fd6ce47d8
+description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
+    maintained by US staff only
+references:
+    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
+    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
+author: Florian Roth
+date: 2019/10/12
+modified: 2019/10/15
+logsource:
+    product: windows
+    service: sysmon
+    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
+detection:
+    selection_registry:
+        EventID: 13
+        TargetObject: 
+            - '*\Keyboard Layout\Preload\*'
+            - '*\Keyboard Layout\Substitutes\*'
+        Details: 
+            - 00000429  # Persian (Iran)
+            - 00050429  # Persian (Iran)
+            - 0000042a  # Vietnamese
+    condition: selection_registry
+falsepositives:
+    - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
+level: medium
+
+```
+
+
+
+
+
+### es-qs
+    
+```
+(EventID:"13" AND TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND Details:("00000429" OR "00050429" OR "0000042a"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Keyboard-Layout-Load <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Keyboard Layout Load",\n    "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only",\n    "tags": "",\n    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Preload\\\\* OR *\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Substitutes\\\\*) AND Details:(\\"00000429\\" OR \\"00050429\\" OR \\"0000042a\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Preload\\\\* OR *\\\\\\\\Keyboard\\\\ Layout\\\\\\\\Substitutes\\\\*) AND Details:(\\"00000429\\" OR \\"00050429\\" OR \\"0000042a\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Keyboard Layout Load\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"13" AND TargetObject.keyword:(*\\\\Keyboard Layout\\\\Preload\\* *\\\\Keyboard Layout\\\\Substitutes\\*) AND Details:("00000429" "00050429" "0000042a"))
+```
+
+
+### splunk
+    
+```
+(EventID="13" (TargetObject="*\\\\Keyboard Layout\\\\Preload\\*" OR TargetObject="*\\\\Keyboard Layout\\\\Substitutes\\*") (Details="00000429" OR Details="00050429" OR Details="0000042a"))
+```
+
+
+### logpoint
+    
+```
+(event_id="13" TargetObject IN ["*\\\\Keyboard Layout\\\\Preload\\*", "*\\\\Keyboard Layout\\\\Substitutes\\*"] Details IN ["00000429", "00050429", "0000042a"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*\\Keyboard Layout\\Preload\\.*|.*.*\\Keyboard Layout\\Substitutes\\.*))(?=.*(?:.*00000429|.*00050429|.*0000042a)))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_svchost_dll_search_order_hijack.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_svchost_dll_search_order_hijack.md
new file mode 100644
index 0000000..ca2bc43
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_svchost_dll_search_order_hijack.md
@@ -0,0 +1,107 @@
+| Title                | Svchost DLL Search Order Hijack                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.                                                                                                                                           |
+| ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
+| ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1038: DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038)</li><li>[T1112: Modify Registry](https://attack.mitre.org/techniques/T1112)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li><li>[T1038: DLL Search Order Hijacking](../Triggers/T1038.md)</li><li>[T1112: Modify Registry](../Triggers/T1112.md)</li></ul>  |
+| Severity Level       | high |
+| False Positives      | <ul><li>Pentest</li></ul>  |
+| Development Status   | experimental |
+| References           | <ul><li>[https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992](https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992)</li></ul>  |
+| Author               | SBousseaden |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Svchost DLL Search Order Hijack
+id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+status: experimental
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their
+    malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a
+    remote machine.
+references:
+    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+author: SBousseaden
+date: 2019/10/28
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.t1038
+    - attack.t1112
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\svchost.exe'
+        ImageLoaded:
+            - '*\tsmsisrv.dll'
+            - '*\tsvipsrv.dll'
+            - '*\wlbsctrl.dll'
+    filter:
+        EventID: 7
+        Image:
+            - '*\svchost.exe'
+        ImageLoaded:
+            - 'C:\Windows\WinSxS\*'        
+    condition: selection and not filter
+falsepositives:
+    - Pentest
+level: high
+```
+
+
+
+
+
+### es-qs
+    
+```
+((EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded:("C\\:\\\\Windows\\\\WinSxS\\*"))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Svchost-DLL-Search-Order-Hijack <<EOF\n{\n  "metadata": {\n    "title": "Svchost DLL Search Order Hijack",\n    "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\\\Windows\\\\System32\\\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \\"svchost.exe -k netsvcs\\" to gain code execution on a remote machine.",\n    "tags": [\n      "attack.persistence",\n      "attack.defense_evasion",\n      "attack.t1073",\n      "attack.t1038",\n      "attack.t1112"\n    ],\n    "query": "((EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\\\\\tsmsisrv.dll OR *\\\\\\\\tsvipsrv.dll OR *\\\\\\\\wlbsctrl.dll)) AND (NOT (EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\*\\"))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\\\\\tsmsisrv.dll OR *\\\\\\\\tsvipsrv.dll OR *\\\\\\\\wlbsctrl.dll)) AND (NOT (EventID:\\"7\\" AND Image.keyword:(*\\\\\\\\svchost.exe) AND ImageLoaded:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\*\\"))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Svchost DLL Search Order Hijack\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded.keyword:(*\\\\tsmsisrv.dll *\\\\tsvipsrv.dll *\\\\wlbsctrl.dll)) AND (NOT (EventID:"7" AND Image.keyword:(*\\\\svchost.exe) AND ImageLoaded:("C\\:\\\\Windows\\\\WinSxS\\*"))))
+```
+
+
+### splunk
+    
+```
+((EventID="7" (Image="*\\\\svchost.exe") (ImageLoaded="*\\\\tsmsisrv.dll" OR ImageLoaded="*\\\\tsvipsrv.dll" OR ImageLoaded="*\\\\wlbsctrl.dll")) NOT (EventID="7" (Image="*\\\\svchost.exe") (ImageLoaded="C:\\\\Windows\\\\WinSxS\\*")))
+```
+
+
+### logpoint
+    
+```
+((event_id="7" Image IN ["*\\\\svchost.exe"] ImageLoaded IN ["*\\\\tsmsisrv.dll", "*\\\\tsvipsrv.dll", "*\\\\wlbsctrl.dll"])  -(event_id="7" Image IN ["*\\\\svchost.exe"] ImageLoaded IN ["C:\\\\Windows\\\\WinSxS\\*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*7)(?=.*(?:.*.*\\svchost\\.exe))(?=.*(?:.*.*\\tsmsisrv\\.dll|.*.*\\tsvipsrv\\.dll|.*.*\\wlbsctrl\\.dll))))(?=.*(?!.*(?:.*(?=.*7)(?=.*(?:.*.*\\svchost\\.exe))(?=.*(?:.*C:\\Windows\\WinSxS\\.*))))))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md
index 08a68b0..38faa1e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_sysinternals_eula_accepted.md
@@ -18,11 +18,11 @@
 ### Sigma rule
 
 ```
----
 action: global
-title: Usage of Sysinternals Tools 
+title: Usage of Sysinternals Tools
+id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
 status: experimental
-description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry 
+description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
 references:
     - https://twitter.com/Moti_B/status/1008587936735035392
 date: 2017/08/28
@@ -71,7 +71,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:"*\\\\EulaAccepted")\nCommandLine:"* \\-accepteula*"
+(EventID:"13" AND TargetObject.keyword:*\\\\EulaAccepted)\nCommandLine.keyword:* \\-accepteula*
 ```
 
 
@@ -85,7 +85,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject="*\\\\EulaAccepted")\nCommandLine="* -accepteula*"
+(event_id="13" TargetObject="*\\\\EulaAccepted")\n(event_id="1" CommandLine="* -accepteula*")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_tsclient_filewrite_startup.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_tsclient_filewrite_startup.md
index aa99b40..fc6d968 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_tsclient_filewrite_startup.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_tsclient_filewrite_startup.md
@@ -18,7 +18,8 @@
 ### Sigma rule
 
 ```
-title: Hijack legit RDP session to move laterally  
+title: Hijack legit RDP session to move laterally
+id: 52753ea4-b3a0-4365-910d-36cff487b789
 status: experimental
 description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
 date: 2019/02/21
@@ -59,7 +60,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"11" AND Image:"*\\\\mstsc.exe" AND TargetFileName:"*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*")
+(EventID:"11" AND Image.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*)
 ```
 
 
@@ -73,7 +74,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="11" Image="*\\\\mstsc.exe" TargetFileName="*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*")
+(event_id="11" Image="*\\\\mstsc.exe" TargetFileName="*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md
index fd2a46e..f7f45e1 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_eventvwr.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)</li><li>[https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100](https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100)</li></ul>  |
 | Author               | Florian Roth |
-| Other Tags           | <ul><li>car.2019-04-001</li><li>car.2019-04-001</li></ul> | 
+| Other Tags           | <ul><li>car.2019-04-001</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: UAC Bypass via Event Viewer
+id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
 status: experimental
 description: Detects UAC bypass method using Windows event viewer
 references:
@@ -72,7 +73,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-((EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID:"1" AND ParentImage:"*\\\\eventvwr.exe") AND NOT (Image:"*\\\\mmc.exe")))
+((EventID:"13" AND TargetObject.keyword:HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR ((EventID:"1" AND ParentImage.keyword:*\\\\eventvwr.exe) AND (NOT (Image.keyword:*\\\\mmc.exe))))
 ```
 
 
@@ -86,7 +87,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-((EventID="13" TargetObject="HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((EventID="1" ParentImage="*\\\\eventvwr.exe")  -(Image="*\\\\mmc.exe")))
+((event_id="13" TargetObject="HKEY_USERS\\\\*\\\\mscfile\\\\shell\\\\open\\\\command") OR ((event_id="1" ParentImage="*\\\\eventvwr.exe")  -(Image="*\\\\mmc.exe")))
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md
index d96b775..7d92578 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_uac_bypass_sdclt.md
@@ -11,7 +11,7 @@
 | Development Status   | experimental |
 | References           | <ul><li>[https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/](https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/)</li></ul>  |
 | Author               | Omer Yampel |
-| Other Tags           | <ul><li>car.2019-04-001</li><li>car.2019-04-001</li></ul> | 
+| Other Tags           | <ul><li>car.2019-04-001</li></ul> | 
 
 ## Detection Rules
 
@@ -19,6 +19,7 @@
 
 ```
 title: UAC Bypass via sdclt
+id: 5b872a46-3b90-45c1-8419-f675db8053aa
 status: experimental
 description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
 references:
@@ -65,7 +66,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:"HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
+(EventID:"13" AND TargetObject.keyword:HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)
 ```
 
 
@@ -79,7 +80,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject="HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
+(event_id="13" TargetObject="HKEY_USERS\\\\*\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md
new file mode 100644
index 0000000..0cbc5fe
--- /dev/null
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md
@@ -0,0 +1,115 @@
+| Title                | Windows webshell creation                                                                                                                                                 |
+|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Description          | Posible webshell file creation on a static web site                                                                                                                                           |
+| ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
+| ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul>  |
+| Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
+| Trigger              | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul>  |
+| Severity Level       | critical |
+| False Positives      | <ul><li>Legitimate administrator or developer creating legitimate executable files in a web application folder</li></ul>  |
+| Development Status   | experimental |
+| References           | <ul><li>[PT ESC rule and personal experience](PT ESC rule and personal experience)</li></ul>  |
+| Author               | Beyu Denis, oscd.community |
+
+
+## Detection Rules
+
+### Sigma rule
+
+```
+title: Windows webshell creation
+id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
+status: experimental
+description: Posible webshell file creation on a static web site
+references:
+    - PT ESC rule and personal experience
+author: Beyu Denis, oscd.community
+date: 2019/10/22
+modified: 2019/11/04
+tags:
+    - attack.persistence
+    - attack.t1100
+level: critical
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_1:
+        EventID: 11
+    selection_2:
+        TargetFilename|contains: '\inetpub\wwwroot\'
+    selection_3:        
+        TargetFilename|contains:
+            - '.asp'
+            - '.ashx'
+            - '.ph'
+    selection_4: 
+        TargetFilename|contains:
+            - '\www\'
+            - '\htdocs\'
+            - '\html\'
+    selection_5:
+        TargetFilename|contains: '.ph'
+    selection_6:
+        - TargetFilename|contains|all: 
+            - '\'
+            - '.jsp'
+        - TargetFilename|contains|all: 
+            - '\cgi-bin\'
+            - '.pl'
+    condition: selection_1 and ( selection_2 and selection_3 ) or
+               selection_1 and ( selection_4 and selection_5 ) or
+               selection_1 and selection_6
+falsepositives:
+    - Legitimate administrator or developer creating legitimate executable files in a web application folder
+
+```
+
+
+
+
+
+### es-qs
+    
+```
+(EventID:"11" AND ((TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\cgi\\-bin\\* AND TargetFilename.keyword:*.pl*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-webshell-creation <<EOF\n{\n  "metadata": {\n    "title": "Windows webshell creation",\n    "description": "Posible webshell file creation on a static web site",\n    "tags": [\n      "attack.persistence",\n      "attack.t1100"\n    ],\n    "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Windows webshell creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"11" AND ((TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND TargetFilename.keyword:(*.asp* *.ashx* *.ph*)) OR (TargetFilename.keyword:(*\\\\www\\* *\\\\htdocs\\* *\\\\html\\*) AND TargetFilename.keyword:*.ph*) OR (TargetFilename.keyword:*\\* AND TargetFilename.keyword:*.jsp*) OR (TargetFilename.keyword:*\\\\cgi\\-bin\\* AND TargetFilename.keyword:*.pl*)))
+```
+
+
+### splunk
+    
+```
+(EventID="11" ((TargetFilename="*\\\\inetpub\\\\wwwroot\\*" (TargetFilename="*.asp*" OR TargetFilename="*.ashx*" OR TargetFilename="*.ph*")) OR ((TargetFilename="*\\\\www\\*" OR TargetFilename="*\\\\htdocs\\*" OR TargetFilename="*\\\\html\\*") TargetFilename="*.ph*") OR (TargetFilename="*\\*" TargetFilename="*.jsp*") OR (TargetFilename="*\\\\cgi-bin\\*" TargetFilename="*.pl*")))
+```
+
+
+### logpoint
+    
+```
+(event_id="11" ((TargetFilename="*\\\\inetpub\\\\wwwroot\\*" TargetFilename IN ["*.asp*", "*.ashx*", "*.ph*"]) OR (TargetFilename IN ["*\\\\www\\*", "*\\\\htdocs\\*", "*\\\\html\\*"] TargetFilename="*.ph*") OR (TargetFilename="*\\*" TargetFilename="*.jsp*") OR (TargetFilename="*\\\\cgi-bin\\*" TargetFilename="*.pl*")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*11)(?=.*(?:.*(?:.*(?:.*(?=.*.*\\inetpub\\wwwroot\\.*)(?=.*(?:.*.*\\.asp.*|.*.*\\.ashx.*|.*.*\\.ph.*)))|.*(?:.*(?=.*(?:.*.*\\www\\.*|.*.*\\htdocs\\.*|.*.*\\html\\.*))(?=.*.*\\.ph.*))|.*(?:.*(?=.*.*\\.*)(?=.*.*\\.jsp.*))|.*(?:.*(?=.*.*\\cgi-bin\\.*)(?=.*.*\\.pl.*))))))'
+```
+
+
+
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md
index 427523d..14b8266 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_github_com.md
@@ -19,6 +19,7 @@
 
 ```
 title: Microsoft Binary Github Communication
+id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
 status: experimental
 description: Detects an executable in the Windows folder accessing github.com
 references:
@@ -34,6 +35,7 @@ logsource:
 detection:
     selection:
         EventID: 3
+        Initiated: 'true'
         DestinationHostname: 
             - '*.github.com'
             - '*.githubusercontent.com'
@@ -54,42 +56,42 @@ level: high
 ### es-qs
     
 ```
-(EventID:"3" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
+(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Github-Communication <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Binary Github Communication",\n    "description": "Detects an executable in the Windows folder accessing github.com",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1105"\n    ],\n    "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Binary Github Communication\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Github-Communication <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Binary Github Communication",\n    "description": "Detects an executable in the Windows folder accessing github.com",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1105"\n    ],\n    "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Binary Github Communication\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-(EventID:"3" AND DestinationHostname:("*.github.com" "*.githubusercontent.com") AND Image:"C\\:\\\\Windows\\\\*")
+(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*.github.com *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
 ```
 
 
 ### splunk
     
 ```
-(EventID="3" (DestinationHostname="*.github.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
+(EventID="3" Initiated="true" (DestinationHostname="*.github.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
 ```
 
 
 ### logpoint
     
 ```
-(EventID="3" DestinationHostname IN ["*.github.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
+(event_id="3" Initiated="true" DestinationHostname IN ["*.github.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*\\.github\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
+grep -P '^(?:.*(?=.*3)(?=.*true)(?=.*(?:.*.*\\.github\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md
index d0a39fa..dcd1cad 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_binary_susp_com.md
@@ -19,6 +19,7 @@
 
 ```
 title: Microsoft Binary Suspicious Communication Endpoint
+id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
 status: experimental
 description: Detects an executable in the Windows folder accessing suspicious domains
 references:
@@ -35,6 +36,7 @@ logsource:
 detection:
     selection:
         EventID: 3
+        Initiated: 'true'
         DestinationHostname: 
             - '*dl.dropboxusercontent.com'
             - '*.pastebin.com'
@@ -55,42 +57,42 @@ level: high
 ### es-qs
     
 ```
-(EventID:"3" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
+(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
 ```
 
 
 ### xpack-watcher
     
 ```
-curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Suspicious-Communication-Endpoint <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Binary Suspicious Communication Endpoint",\n    "description": "Detects an executable in the Windows folder accessing suspicious domains",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1105"\n    ],\n    "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"3\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Binary Suspicious Communication Endpoint\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Binary-Suspicious-Communication-Endpoint <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Binary Suspicious Communication Endpoint",\n    "description": "Detects an executable in the Windows folder accessing suspicious domains",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1105"\n    ],\n    "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"3\\" AND Initiated:\\"true\\" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND Image.keyword:C\\\\:\\\\\\\\Windows\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Binary Suspicious Communication Endpoint\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
 ```
 
 
 ### graylog
     
 ```
-(EventID:"3" AND DestinationHostname:("*dl.dropboxusercontent.com" "*.pastebin.com" "*.githubusercontent.com") AND Image:"C\\:\\\\Windows\\\\*")
+(EventID:"3" AND Initiated:"true" AND DestinationHostname.keyword:(*dl.dropboxusercontent.com *.pastebin.com *.githubusercontent.com) AND Image.keyword:C\\:\\\\Windows\\\\*)
 ```
 
 
 ### splunk
     
 ```
-(EventID="3" (DestinationHostname="*dl.dropboxusercontent.com" OR DestinationHostname="*.pastebin.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
+(EventID="3" Initiated="true" (DestinationHostname="*dl.dropboxusercontent.com" OR DestinationHostname="*.pastebin.com" OR DestinationHostname="*.githubusercontent.com") Image="C:\\\\Windows\\\\*")
 ```
 
 
 ### logpoint
     
 ```
-(EventID="3" DestinationHostname IN ["*dl.dropboxusercontent.com", "*.pastebin.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
+(event_id="3" Initiated="true" DestinationHostname IN ["*dl.dropboxusercontent.com", "*.pastebin.com", "*.githubusercontent.com"] Image="C:\\\\Windows\\\\*")
 ```
 
 
 ### grep
     
 ```
-grep -P '^(?:.*(?=.*3)(?=.*(?:.*.*dl\\.dropboxusercontent\\.com|.*.*\\.pastebin\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
+grep -P '^(?:.*(?=.*3)(?=.*true)(?=.*(?:.*.*dl\\.dropboxusercontent\\.com|.*.*\\.pastebin\\.com|.*.*\\.githubusercontent\\.com))(?=.*C:\\Windows\\\\.*))'
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md
index 0539a70..bce7516 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_win_reg_persistence.md
@@ -11,7 +11,7 @@
 | Development Status   |  Development Status wasn't defined for this Detection Rule yet  |
 | References           | <ul><li>[https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/](https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/)</li></ul>  |
 | Author               | Karneades |
-| Other Tags           | <ul><li>car.2013-01-002</li><li>car.2013-01-002</li></ul> | 
+| Other Tags           | <ul><li>car.2013-01-002</li></ul> | 
 
 ## Detection Rules
 
@@ -19,22 +19,23 @@
 
 ```
 title: Registry Persistence Mechanisms
-description: Detects persistence registry keys 
+id: 36803969-5421-41ec-b92f-8500f79c23b0
+description: Detects persistence registry keys
 references:
     - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
 date: 2018/04/11
 author: Karneades
 logsource:
-   product: windows
-   service: sysmon
+    product: windows
+    service: sysmon
 detection:
     selection_reg1:
-        EventID: 13 
-        TargetObject: 
+        EventID: 13
+        TargetObject:
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
-        EventType: 'SetValue'
+        EventType: SetValue
     condition: selection_reg1
 tags:
     - attack.privilege_escalation
@@ -69,7 +70,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"13" AND TargetObject:("*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode" "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess") AND EventType:"SetValue")
+(EventID:"13" AND TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode *\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND EventType:"SetValue")
 ```
 
 
@@ -83,7 +84,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess"] EventType="SetValue")
+(event_id="13" TargetObject IN ["*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\GlobalFlag", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode", "*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess"] EventType="SetValue")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
index c97b989..39ca824 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_event_subscription.md
@@ -3,7 +3,7 @@
 | Description          | Detects creation of WMI event subscription persistence method                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0023_20_windows_sysmon_WmiEvent](../Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md)</li><li>[DN_0024_21_windows_sysmon_WmiEvent](../Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md)</li><li>[DN_0022_19_windows_sysmon_WmiEvent](../Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](../Triggers/T1084.md)</li></ul>  |
 | Severity Level       | high |
@@ -19,6 +19,7 @@
 
 ```
 title: WMI Event Subscription
+id: 0f06a3a5-6a09-413f-8743-e6cf35561297
 status: experimental
 description: Detects creation of WMI event subscription persistence method
 references:
@@ -79,7 +80,7 @@ EventID:("19" "20" "21")
 ### logpoint
     
 ```
-EventID IN ["19", "20", "21"]
+event_id IN ["19", "20", "21"]
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_commandline_event_consumer.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_commandline_event_consumer.md
index 5e5dff0..6273f9f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_commandline_event_consumer.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_commandline_event_consumer.md
@@ -19,6 +19,7 @@
 
 ```
 title: WMI Persistence - Command Line Event Consumer
+id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
 status: experimental
 description: Detects WMI command line event consumers
 references:
@@ -78,7 +79,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="7" Image="C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe" ImageLoaded="wbemcons.dll")
+(event_id="7" Image="C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe" ImageLoaded="wbemcons.dll")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_script_event_consumer_write.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_script_event_consumer_write.md
index 7f9c485..4ca73b5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_script_event_consumer_write.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_persistence_script_event_consumer_write.md
@@ -19,6 +19,7 @@
 
 ```
 title: WMI Persistence - Script Event Consumer File Write
+id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
 status: experimental
 description: Detects file writes of WMI script event consumer
 references:
@@ -77,7 +78,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="11" Image="C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe")
+(event_id="11" Image="C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe")
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
index f87d553..e248f9c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_susp_scripting.md
@@ -19,8 +19,9 @@
 
 ```
 title: Suspicious Scripting in a WMI Consumer
+id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
 status: experimental
-description: Detects suspicious scripting in WMI Event Consumers 
+description: Detects suspicious scripting in WMI Event Consumers
 author: Florian Roth
 references:
     - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
@@ -77,7 +78,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### graylog
     
 ```
-(EventID:"20" AND Destination:("*new\\-object system.net.webclient\\).downloadstring\\(*" "*new\\-object system.net.webclient\\).downloadfile\\(*" "*new\\-object net.webclient\\).downloadstring\\(*" "*new\\-object net.webclient\\).downloadfile\\(*" "* iex\\(*" "*WScript.shell*" "* \\-nop *" "* \\-noprofile *" "* \\-decode *" "* \\-enc *"))
+(EventID:"20" AND Destination.keyword:(*new\\-object system.net.webclient\\).downloadstring\\(* *new\\-object system.net.webclient\\).downloadfile\\(* *new\\-object net.webclient\\).downloadstring\\(* *new\\-object net.webclient\\).downloadfile\\(* * iex\\(* *WScript.shell* * \\-nop * * \\-noprofile * * \\-decode * * \\-enc *))
 ```
 
 
@@ -91,7 +92,7 @@ curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9
 ### logpoint
     
 ```
-(EventID="20" Destination IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*", "* iex(*", "*WScript.shell*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *"])
+(event_id="20" Destination IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*", "* iex(*", "*WScript.shell*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *"])
 ```
 
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md b/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
index c9eaf46..6af5b40 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_GPO_scheduledtasks.md
@@ -49,6 +49,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Persistence-and-Execution-at-scale-via-GPO-scheduled-task <<EOF\n{\n  "metadata": {\n    "title": "Persistence and Execution at scale via GPO scheduled task",\n    "description": "Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale",\n    "tags": [\n      "attack.persistence",\n      "attack.lateral_movement",\n      "attack.t1053"\n    ],\n    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Persistence and Execution at scale via GPO scheduled task\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\SYSVOL AND RelativeTargetName.keyword:*ScheduledTasks.xml AND Accesses.keyword:*WriteData*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\\\*\\\\SYSVOL" RelativeTargetName="*ScheduledTasks.xml" Accesses="*WriteData*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*5145)(?=.*\\\\.*\\SYSVOL)(?=.*.*ScheduledTasks\\.xml)(?=.*.*WriteData.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md b/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
index 33c018a..5afd45a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_account_backdoor_dcsync_rights.md
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* OR *1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Powerview-Add-DomainObjectAcl-DCSync-AD-Extend-Right <<EOF\n{\n  "metadata": {\n    "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right",\n    "description": "backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer",\n    "tags": [\n      "attack.credential_access",\n      "attack.persistence"\n    ],\n    "query": "(EventID:\\"5136\\" AND LDAPDisplayName:\\"ntSecurityDescriptor\\" AND Value.keyword:(*1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2* OR *1131f6aa\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"5136\\" AND LDAPDisplayName:\\"ntSecurityDescriptor\\" AND Value.keyword:(*1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2* OR *1131f6aa\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Powerview Add-DomainObjectAcl DCSync AD Extend Right\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"5136" AND LDAPDisplayName:"ntSecurityDescriptor" AND Value.keyword:(*1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2* *1131f6aa\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="5136" LDAPDisplayName="ntSecurityDescriptor" Value IN ["*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*5136)(?=.*ntSecurityDescriptor)(?=.*(?:.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*|.*.*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
index 75d6ea4..74e5af5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_account_discovery.md
@@ -60,6 +60,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4661" AND ObjectType:("SAM_USER" OR "SAM_GROUP") AND ObjectName.keyword:(*\\-512 OR *\\-502 OR *\\-500 OR *\\-505 OR *\\-519 OR *\\-520 OR *\\-544 OR *\\-551 OR *\\-555 OR *admin*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/AD-Privileged-Users-or-Groups-Reconnaissance <<EOF\n{\n  "metadata": {\n    "title": "AD Privileged Users or Groups Reconnaissance",\n    "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs",\n    "tags": [\n      "attack.discovery",\n      "attack.t1087"\n    ],\n    "query": "(EventID:\\"4661\\" AND ObjectType:(\\"SAM_USER\\" OR \\"SAM_GROUP\\") AND ObjectName.keyword:(*\\\\-512 OR *\\\\-502 OR *\\\\-500 OR *\\\\-505 OR *\\\\-519 OR *\\\\-520 OR *\\\\-544 OR *\\\\-551 OR *\\\\-555 OR *admin*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4661\\" AND ObjectType:(\\"SAM_USER\\" OR \\"SAM_GROUP\\") AND ObjectName.keyword:(*\\\\-512 OR *\\\\-502 OR *\\\\-500 OR *\\\\-505 OR *\\\\-519 OR *\\\\-520 OR *\\\\-544 OR *\\\\-551 OR *\\\\-555 OR *admin*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'AD Privileged Users or Groups Reconnaissance\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4661" AND ObjectType:("SAM_USER" "SAM_GROUP") AND ObjectName.keyword:(*\\-512 *\\-502 *\\-500 *\\-505 *\\-519 *\\-520 *\\-544 *\\-551 *\\-555 *admin*))
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4661" ObjectType IN ["SAM_USER", "SAM_GROUP"] ObjectName IN ["*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555", "*admin*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4661)(?=.*(?:.*SAM_USER|.*SAM_GROUP))(?=.*(?:.*.*-512|.*.*-502|.*.*-500|.*.*-505|.*.*-519|.*.*-520|.*.*-544|.*.*-551|.*.*-555|.*.*admin.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md b/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
index 859a8dd..7c0cac9 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_admin_rdp_login.md
@@ -50,6 +50,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+(EventID:"4624" AND LogonType:"10" AND AuthenticationPackageName:"Negotiate" AND AccountName.keyword:Admin\\-*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Admin-User-Remote-Logon <<EOF\n{\n  "metadata": {\n    "title": "Admin User Remote Logon",\n    "description": "Detect remote login by Administrator user depending on internal pattern",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1078",\n      "car.2016-04-005"\n    ],\n    "query": "(EventID:\\"4624\\" AND LogonType:\\"10\\" AND AuthenticationPackageName:\\"Negotiate\\" AND AccountName.keyword:Admin\\\\-*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4624\\" AND LogonType:\\"10\\" AND AuthenticationPackageName:\\"Negotiate\\" AND AccountName.keyword:Admin\\\\-*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Admin User Remote Logon\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4624" AND LogonType:"10" AND AuthenticationPackageName:"Negotiate" AND AccountName.keyword:Admin\\-*)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="10" AuthenticationPackageName="Negotiate" AccountName="Admin-*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4624)(?=.*10)(?=.*Negotiate)(?=.*Admin-.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
index a1d5147..656e255 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_admin_share_access.md
@@ -47,6 +47,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+((EventID:"5140" AND ShareName:"Admin$") AND (NOT (SubjectUserName.keyword:*$)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Access-to-ADMIN$-Share <<EOF\n{\n  "metadata": {\n    "title": "Access to ADMIN$ Share",\n    "description": "Detects access to $ADMIN share",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1077"\n    ],\n    "query": "((EventID:\\"5140\\" AND ShareName:\\"Admin$\\") AND (NOT (SubjectUserName.keyword:*$)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"5140\\" AND ShareName:\\"Admin$\\") AND (NOT (SubjectUserName.keyword:*$)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Access to ADMIN$ Share\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"5140" AND ShareName:"Admin$") AND (NOT (SubjectUserName.keyword:*$)))
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id="5140" ShareName="Admin$")  -(SubjectUserName="*$"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*5140)(?=.*Admin\\$)))(?=.*(?!.*(?:.*(?=.*.*\\$)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
index c3d8882..988f2dc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_alert_active_directory_user_control.md
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4704" AND Message.keyword:(*SeEnableDelegationPrivilege*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Enabled-User-Right-in-AD-to-Control-User-Objects <<EOF\n{\n  "metadata": {\n    "title": "Enabled User Right in AD to Control User Objects",\n    "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.t1078"\n    ],\n    "query": "(EventID:\\"4704\\" AND Message.keyword:(*SeEnableDelegationPrivilege*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4704\\" AND Message.keyword:(*SeEnableDelegationPrivilege*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Enabled User Right in AD to Control User Objects\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4704" AND Message.keyword:(*SeEnableDelegationPrivilege*))
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4704" Message IN ["*SeEnableDelegationPrivilege*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4704)(?=.*(?:.*.*SeEnableDelegationPrivilege.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
index f333686..39d9b77 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_alert_ad_user_backdoors.md
@@ -63,6 +63,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((((EventID:"4738" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:"\\-")))) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToDelegateTo")) OR (EventID:"5136" AND ObjectClass:"user" AND AttributeLDAPDisplayName:"servicePrincipalName")) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToActOnBehalfOfOtherIdentity"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Active-Directory-User-Backdoors <<EOF\n{\n  "metadata": {\n    "title": "Active Directory User Backdoors",\n    "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.",\n    "tags": [\n      "attack.t1098",\n      "attack.credential_access",\n      "attack.persistence"\n    ],\n    "query": "((((EventID:\\"4738\\" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:\\"\\\\-\\")))) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToDelegateTo\\")) OR (EventID:\\"5136\\" AND ObjectClass:\\"user\\" AND AttributeLDAPDisplayName:\\"servicePrincipalName\\")) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToActOnBehalfOfOtherIdentity\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((((EventID:\\"4738\\" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:\\"\\\\-\\")))) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToDelegateTo\\")) OR (EventID:\\"5136\\" AND ObjectClass:\\"user\\" AND AttributeLDAPDisplayName:\\"servicePrincipalName\\")) OR (EventID:\\"5136\\" AND AttributeLDAPDisplayName:\\"msDS\\\\-AllowedToActOnBehalfOfOtherIdentity\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Active Directory User Backdoors\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((((EventID:"4738" AND (NOT ((NOT _exists_:AllowedToDelegateTo) OR (AllowedToDelegateTo:"\\-")))) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToDelegateTo")) OR (EventID:"5136" AND ObjectClass:"user" AND AttributeLDAPDisplayName:"servicePrincipalName")) OR (EventID:"5136" AND AttributeLDAPDisplayName:"msDS\\-AllowedToActOnBehalfOfOtherIdentity"))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" ((((event_source="Microsoft-Windows-Security-Auditing" event_id="4738"  -((-AllowedToDelegateTo=*) OR (AllowedToDelegateTo="-"))) OR (event_id="5136" AttributeLDAPDisplayName="msDS-AllowedToDelegateTo")) OR (event_id="5136" ObjectClass="user" AttributeLDAPDisplayName="servicePrincipalName")) OR (event_id="5136" AttributeLDAPDisplayName="msDS-AllowedToActOnBehalfOfOtherIdentity")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?:.*(?:.*(?=.*(?!AllowedToDelegateTo)))|.*(?:.*(?=.*-)))))))|.*(?:.*(?=.*5136)(?=.*msDS-AllowedToDelegateTo))))|.*(?:.*(?=.*5136)(?=.*user)(?=.*servicePrincipalName))))|.*(?:.*(?=.*5136)(?=.*msDS-AllowedToActOnBehalfOfOtherIdentity))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
index a2a565a..904876c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_alert_enable_weak_encryption.md
@@ -54,6 +54,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4738" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Weak-Encryption-Enabled-and-Kerberoast <<EOF\n{\n  "metadata": {\n    "title": "Weak Encryption Enabled and Kerberoast",\n    "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1089"\n    ],\n    "query": "(EventID:\\"4738\\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4738\\" AND Message.keyword:(*DES* OR *Preauth* OR *Encrypted*) AND Message.keyword:(*Enabled*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Weak Encryption Enabled and Kerberoast\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4738" AND Message.keyword:(*DES* *Preauth* *Encrypted*) AND Message.keyword:(*Enabled*))
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4738" Message IN ["*DES*", "*Preauth*", "*Encrypted*"] Message IN ["*Enabled*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4738)(?=.*(?:.*.*DES.*|.*.*Preauth.*|.*.*Encrypted.*))(?=.*(?:.*.*Enabled.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
index 3dde134..d0b7fce 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_alert_lsass_access.md
@@ -49,6 +49,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"1121" AND Path.keyword:*\\\\lsass.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/LSASS-Access-Detected-via-Attack-Surface-Reduction <<EOF\n{\n  "metadata": {\n    "title": "LSASS Access Detected via Attack Surface Reduction",\n    "description": "Detects Access to LSASS Process",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "(EventID:\\"1121\\" AND Path.keyword:*\\\\\\\\lsass.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"1121\\" AND Path.keyword:*\\\\\\\\lsass.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'LSASS Access Detected via Attack Surface Reduction\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"1121" AND Path.keyword:*\\\\lsass.exe)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1121" Path="*\\\\lsass.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*1121)(?=.*.*\\lsass\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
index df4d32c..58f1157 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
@@ -59,6 +59,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+Message.keyword:(*\\ mimikatz\\ * OR *\\ mimilib\\ * OR *\\ 3\\ eo.oe\\ * OR *\\ eo.oe.kiwi\\ * OR *\\ privilege\\:\\:debug\\ * OR *\\ sekurlsa\\:\\:logonpasswords\\ * OR *\\ lsadump\\:\\:sam\\ * OR *\\ mimidrv.sys\\ * OR *\\ p\\:\\:d\\ * OR *\\ s\\:\\:l\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Mimikatz-Use <<EOF\n{\n  "metadata": {\n    "title": "Mimikatz Use",\n    "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)",\n    "tags": [\n      "attack.s0002",\n      "attack.t1003",\n      "attack.lateral_movement",\n      "attack.credential_access",\n      "car.2013-07-001",\n      "car.2019-04-004"\n    ],\n    "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ 3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ 3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Mimikatz Use\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Message.keyword:(* mimikatz * * mimilib * * 3 eo.oe * * eo.oe.kiwi * * privilege\\:\\:debug * * sekurlsa\\:\\:logonpasswords * * lsadump\\:\\:sam * * mimidrv.sys * * p\\:\\:d * * s\\:\\:l *)
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+Message IN ["* mimikatz *", "* mimilib *", "* <3 eo.oe *", "* eo.oe.kiwi *", "* privilege::debug *", "* sekurlsa::logonpasswords *", "* lsadump::sam *", "* mimidrv.sys *", "* p::d *", "* s::l *"]
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* mimikatz .*|.*.* mimilib .*|.*.* <3 eo\\.oe .*|.*.* eo\\.oe\\.kiwi .*|.*.* privilege::debug .*|.*.* sekurlsa::logonpasswords .*|.*.* lsadump::sam .*|.*.* mimidrv\\.sys .*|.*.* p::d .*|.*.* s::l .*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md b/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
index 4628f33..7b0a9a8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_alert_ruler.md
@@ -61,6 +61,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((EventID:("4776") AND Workstation:"RULER") OR (EventID:("4624" OR "4625") AND WorkstationName:"RULER"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Hacktool-Ruler <<EOF\n{\n  "metadata": {\n    "title": "Hacktool Ruler",\n    "description": "This events that are generated when using the hacktool Ruler by Sensepost",\n    "tags": [\n      "attack.discovery",\n      "attack.execution",\n      "attack.t1087",\n      "attack.t1075",\n      "attack.t1114",\n      "attack.t1059"\n    ],\n    "query": "((EventID:(\\"4776\\") AND Workstation:\\"RULER\\") OR (EventID:(\\"4624\\" OR \\"4625\\") AND WorkstationName:\\"RULER\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:(\\"4776\\") AND Workstation:\\"RULER\\") OR (EventID:(\\"4624\\" OR \\"4625\\") AND WorkstationName:\\"RULER\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Hacktool Ruler\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:("4776") AND Workstation:"RULER") OR (EventID:("4624" "4625") AND WorkstationName:"RULER"))
+```
+
+
 ### splunk
     
 ```
@@ -68,4 +89,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" ((event_id IN ["4776"] Workstation="RULER") OR (event_id IN ["4624", "4625"] WorkstationName="RULER")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*4776))(?=.*RULER))|.*(?:.*(?=.*(?:.*4624|.*4625))(?=.*RULER))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
index 630e437..1d659de 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_apt_bluemashroom.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1117: Regsvr32](../Triggers/T1117.md)</li></ul>  |
 | Severity Level       | critical |
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/BlueMashroom-DLL-Load <<EOF\n{\n  "metadata": {\n    "title": "BlueMashroom DLL Load",\n    "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1117"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\regsvr32*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*,DllEntry*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\regsvr32*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*,DllEntry*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'BlueMashroom DLL Load\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* *\\\\AppData\\\\Local\\\\*,DllEntry*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\regsvr32*\\\\AppData\\\\Local\\\\*", "*\\\\AppData\\\\Local\\\\*,DllEntry*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\regsvr32.*\\AppData\\Local\\\\.*|.*.*\\AppData\\Local\\\\.*,DllEntry.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md b/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
index ab5374c..bff347a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_apt_mustangpanda.md
@@ -3,7 +3,7 @@
 | Description          | Detects specific process parameters as used by Mustang Panda droppers                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | high |
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\"\\ \\/F OR *\\/tn\\ \\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR Image.keyword:(*Temp\\\\winwsh.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Mustang-Panda-Dropper <<EOF\n{\n  "metadata": {\n    "title": "Mustang Panda Dropper",\n    "description": "Detects specific process parameters as used by Mustang Panda droppers",\n    "tags": "",\n    "query": "(CommandLine.keyword:(*Temp\\\\\\\\wtask.exe\\\\ \\\\/create* OR *%windir\\\\:\\\\~\\\\-3,1%%PUBLIC\\\\:\\\\~\\\\-9,1%* OR *\\\\/E\\\\:vbscript\\\\ *\\\\ C\\\\:\\\\\\\\Users\\\\*.txt\\\\\\"\\\\ \\\\/F OR *\\\\/tn\\\\ \\\\\\"Security\\\\ Script\\\\ * OR *%windir\\\\:\\\\~\\\\-1,1%*) OR Image.keyword:(*Temp\\\\\\\\winwsh.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:(*Temp\\\\\\\\wtask.exe\\\\ \\\\/create* OR *%windir\\\\:\\\\~\\\\-3,1%%PUBLIC\\\\:\\\\~\\\\-9,1%* OR *\\\\/E\\\\:vbscript\\\\ *\\\\ C\\\\:\\\\\\\\Users\\\\*.txt\\\\\\"\\\\ \\\\/F OR *\\\\/tn\\\\ \\\\\\"Security\\\\ Script\\\\ * OR *%windir\\\\:\\\\~\\\\-1,1%*) OR Image.keyword:(*Temp\\\\\\\\winwsh.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Mustang Panda Dropper\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:(*Temp\\\\wtask.exe \\/create* *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* *\\/E\\:vbscript * C\\:\\\\Users\\*.txt\\" \\/F *\\/tn \\"Security Script * *%windir\\:\\~\\-1,1%*) OR Image.keyword:(*Temp\\\\winwsh.exe))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine IN ["*Temp\\\\wtask.exe /create*", "*%windir:~-3,1%%PUBLIC:~-9,1%*", "*/E:vbscript * C:\\\\Users\\*.txt\\" /F", "*/tn \\"Security Script *", "*%windir:~-1,1%*"] OR Image IN ["*Temp\\\\winwsh.exe"]))
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*(?:.*(?:.*.*Temp\\wtask\\.exe /create.*|.*.*%windir:~-3,1%%PUBLIC:~-9,1%.*|.*.*/E:vbscript .* C:\\Users\\.*\\.txt" /F|.*.*/tn "Security Script .*|.*.*%windir:~-1,1%.*)|.*(?:.*.*Temp\\winwsh\\.exe)))\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md b/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
index 0e4e3a1..1854321 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_atsvc_task.md
@@ -51,6 +51,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Remote-Task-Creation-via-ATSVC-named-pipe <<EOF\n{\n  "metadata": {\n    "title": "Remote Task Creation via ATSVC named pipe",\n    "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.persistence",\n      "attack.t1053",\n      "car.2013-05-004",\n      "car.2015-04-001"\n    ],\n    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:\\"atsvc\\" AND Accesses.keyword:*WriteData*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:\\"atsvc\\" AND Accesses.keyword:*WriteData*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Remote Task Creation via ATSVC named pipe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:"atsvc" AND Accesses.keyword:*WriteData*)
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\\\*\\\\IPC$" RelativeTargetName="atsvc" Accesses="*WriteData*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)(?=.*atsvc)(?=.*.*WriteData.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md b/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
index 01d973a..ff28a1a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_attrib_hiding_files.md
@@ -56,6 +56,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\attrib.exe AND CommandLine.keyword:*\\ \\+h\\ *) AND (NOT ((CommandLine.keyword:*\\\\desktop.ini\\ * OR (ParentImage.keyword:*\\\\cmd.exe AND CommandLine.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND ParentCommandLine.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat)))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Hiding-files-with-attrib.exe <<EOF\n{\n  "metadata": {\n    "title": "Hiding files with attrib.exe",\n    "description": "Detects usage of attrib.exe to hide files from users.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.persistence",\n      "attack.t1158"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\attrib.exe AND CommandLine.keyword:*\\\\ \\\\+h\\\\ *) AND (NOT ((CommandLine.keyword:*\\\\\\\\desktop.ini\\\\ * OR (ParentImage.keyword:*\\\\\\\\cmd.exe AND CommandLine.keyword:\\\\+R\\\\ \\\\+H\\\\ \\\\+S\\\\ \\\\+A\\\\ \\\\\\\\*.cui AND ParentCommandLine.keyword:C\\\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\*.bat)))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\attrib.exe AND CommandLine.keyword:*\\\\ \\\\+h\\\\ *) AND (NOT ((CommandLine.keyword:*\\\\\\\\desktop.ini\\\\ * OR (ParentImage.keyword:*\\\\\\\\cmd.exe AND CommandLine.keyword:\\\\+R\\\\ \\\\+H\\\\ \\\\+S\\\\ \\\\+A\\\\ \\\\\\\\*.cui AND ParentCommandLine.keyword:C\\\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\*.bat)))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Hiding files with attrib.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n             User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\attrib.exe AND CommandLine.keyword:* \\+h *) AND (NOT ((CommandLine.keyword:*\\\\desktop.ini * OR (ParentImage.keyword:*\\\\cmd.exe AND CommandLine.keyword:\\+R \\+H \\+S \\+A \\\\*.cui AND ParentCommandLine.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat)))))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\attrib.exe" CommandLine="* +h *")  -((event_id="1" (CommandLine="*\\\\desktop.ini *" OR (ParentImage="*\\\\cmd.exe" CommandLine="+R +H +S +A \\\\*.cui" ParentCommandLine="C:\\\\WINDOWS\\\\system32\\\\*.bat")))))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\attrib\\.exe)(?=.*.* \\+h .*)))(?=.*(?!.*(?:.*(?:.*(?:.*.*\\desktop\\.ini .*|.*(?:.*(?=.*.*\\cmd\\.exe)(?=.*\\+R \\+H \\+S \\+A \\\\.*\\.cui)(?=.*C:\\WINDOWS\\system32\\\\.*\\.bat))))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md b/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
index 60c21c8..446171b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_av_relevant_match.md
@@ -63,6 +63,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\/Backdoor* OR *JSP\\/Backdoor* OR *PHP\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Relevant-Anti-Virus-Event <<EOF\n{\n  "metadata": {\n    "title": "Relevant Anti-Virus Event",\n    "description": "This detection method points out highly relevant Antivirus events",\n    "tags": "",\n    "query": "(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\\\/Backdoor* OR *JSP\\\\/Backdoor* OR *PHP\\\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Message.keyword:(*HTool* OR *Hacktool* OR *ASP\\\\/Backdoor* OR *JSP\\\\/Backdoor* OR *PHP\\\\/Backdoor* OR *Backdoor.ASP* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Webshell* OR *Portscan* OR *Mimikatz* OR *WinCred* OR *PlugX* OR *Korplug* OR *Pwdump* OR *Chopper* OR *WmiExec* OR *Xscan* OR *Clearlog* OR *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* OR *Crack*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Relevant Anti-Virus Event\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Message.keyword:(*HTool* *Hacktool* *ASP\\/Backdoor* *JSP\\/Backdoor* *PHP\\/Backdoor* *Backdoor.ASP* *Backdoor.JSP* *Backdoor.PHP* *Webshell* *Portscan* *Mimikatz* *WinCred* *PlugX* *Korplug* *Pwdump* *Chopper* *WmiExec* *Xscan* *Clearlog* *ASPXSpy*) AND (NOT (Message.keyword:(*Keygen* *Crack*))))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(Message IN ["*HTool*", "*Hacktool*", "*ASP/Backdoor*", "*JSP/Backdoor*", "*PHP/Backdoor*", "*Backdoor.ASP*", "*Backdoor.JSP*", "*Backdoor.PHP*", "*Webshell*", "*Portscan*", "*Mimikatz*", "*WinCred*", "*PlugX*", "*Korplug*", "*Pwdump*", "*Chopper*", "*WmiExec*", "*Xscan*", "*Clearlog*", "*ASPXSpy*"]  -(Message IN ["*Keygen*", "*Crack*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*HTool.*|.*.*Hacktool.*|.*.*ASP/Backdoor.*|.*.*JSP/Backdoor.*|.*.*PHP/Backdoor.*|.*.*Backdoor\\.ASP.*|.*.*Backdoor\\.JSP.*|.*.*Backdoor\\.PHP.*|.*.*Webshell.*|.*.*Portscan.*|.*.*Mimikatz.*|.*.*WinCred.*|.*.*PlugX.*|.*.*Korplug.*|.*.*Pwdump.*|.*.*Chopper.*|.*.*WmiExec.*|.*.*Xscan.*|.*.*Clearlog.*|.*.*ASPXSpy.*))(?=.*(?!.*(?:.*(?=.*(?:.*.*Keygen.*|.*.*Crack.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md b/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
index 8d68bda..71368fd 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_bypass_squiblytwo.md
@@ -60,6 +60,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:(*\\\\wmic.exe) AND CommandLine.keyword:(wmic\\ *\\ *format\\:\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (Imphash:("1B1A3F43BF37B5BFE60751F2EE2F326E" OR "37777A96245A3C74EB217308F3546F4C" OR "9D87C9D67CE724033C0B40CC4CA1B206") AND CommandLine.keyword:(*\\ *format\\:\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/SquiblyTwo <<EOF\n{\n  "metadata": {\n    "title": "SquiblyTwo",\n    "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1047"\n    ],\n    "query": "((Image.keyword:(*\\\\\\\\wmic.exe) AND CommandLine.keyword:(wmic\\\\ *\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR wmic\\\\ *\\\\ \\\\/format\\\\:\'http OR wmic\\\\ *\\\\ \\\\/format\\\\:http*)) OR (Imphash:(\\"1B1A3F43BF37B5BFE60751F2EE2F326E\\" OR \\"37777A96245A3C74EB217308F3546F4C\\" OR \\"9D87C9D67CE724033C0B40CC4CA1B206\\") AND CommandLine.keyword:(*\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR *\\\\ \\\\/format\\\\:\'http OR *\\\\ \\\\/format\\\\:http*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:(*\\\\\\\\wmic.exe) AND CommandLine.keyword:(wmic\\\\ *\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR wmic\\\\ *\\\\ \\\\/format\\\\:\'http OR wmic\\\\ *\\\\ \\\\/format\\\\:http*)) OR (Imphash:(\\"1B1A3F43BF37B5BFE60751F2EE2F326E\\" OR \\"37777A96245A3C74EB217308F3546F4C\\" OR \\"9D87C9D67CE724033C0B40CC4CA1B206\\") AND CommandLine.keyword:(*\\\\ *format\\\\:\\\\\\\\\\\\\\"http* OR *\\\\ \\\\/format\\\\:\'http OR *\\\\ \\\\/format\\\\:http*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'SquiblyTwo\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:(*\\\\wmic.exe) AND CommandLine.keyword:(wmic * *format\\:\\\\\\"http* wmic * \\/format\\:\'http wmic * \\/format\\:http*)) OR (Imphash:("1B1A3F43BF37B5BFE60751F2EE2F326E" "37777A96245A3C74EB217308F3546F4C" "9D87C9D67CE724033C0B40CC4CA1B206") AND CommandLine.keyword:(* *format\\:\\\\\\"http* * \\/format\\:\'http * \\/format\\:http*)))
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((Image IN ["*\\\\wmic.exe"] CommandLine IN ["wmic * *format:\\\\\\"http*", "wmic * /format:\'http", "wmic * /format:http*"]) OR (Imphash IN ["1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206"] CommandLine IN ["* *format:\\\\\\"http*", "* /format:\'http", "* /format:http*"])))
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*(?:.*(?:.*(?=.*(?:.*.*\\wmic\\.exe))(?=.*(?:.*wmic .* .*format:\\"http.*|.*wmic .* /format:\'"\'"\'http|.*wmic .* /format:http.*)))|.*(?:.*(?=.*(?:.*1B1A3F43BF37B5BFE60751F2EE2F326E|.*37777A96245A3C74EB217308F3546F4C|.*9D87C9D67CE724033C0B40CC4CA1B206))(?=.*(?:.*.* .*format:\\"http.*|.*.* /format:\'"\'"\'http|.*.* /format:http.*)))))\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md b/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
index c759c22..571d540 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_change_default_file_association.md
@@ -60,6 +60,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\/c* AND CommandLine.keyword:*assoc*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Change-Default-File-Association <<EOF\n{\n  "metadata": {\n    "title": "Change Default File Association",\n    "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.",\n    "tags": [\n      "attack.persistence",\n      "attack.t1042"\n    ],\n    "query": "(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\\\/c* AND CommandLine.keyword:*assoc*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\\\/c* AND CommandLine.keyword:*assoc*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Change Default File Association\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\n             User = {{_source.User}}\\n        LogonGuid = {{_source.LogonGuid}}\\n           Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*cmd* AND CommandLine.keyword:*\\/c* AND CommandLine.keyword:*assoc*)
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*assoc*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*cmd.*)(?=.*.*/c.*)(?=.*.*assoc.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md b/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
index 2d24c22..3070f11 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_cmdkey_recon.md
@@ -3,7 +3,7 @@
 | Description          | Detects usage of cmdkey to look for cached credentials                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | low |
@@ -51,6 +51,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\cmdkey.exe AND CommandLine.keyword:*\\ \\/list\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Cmdkey-Cached-Credentials-Recon <<EOF\n{\n  "metadata": {\n    "title": "Cmdkey Cached Credentials Recon",\n    "description": "Detects usage of cmdkey to look for cached credentials",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\cmdkey.exe AND CommandLine.keyword:*\\\\ \\\\/list\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\cmdkey.exe AND CommandLine.keyword:*\\\\ \\\\/list\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Cmdkey Cached Credentials Recon\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n             User = {{_source.User}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\cmdkey.exe AND CommandLine.keyword:* \\/list *)
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\cmdkey.exe" CommandLine="* /list *")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\cmdkey\\.exe)(?=.*.* /list .*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
index 7412bd6..4479973 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_cmstp_com_object_access.md
@@ -60,6 +60,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentCommandLine.keyword:*\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/CMSTP-UAC-Bypass-via-COM-Object-Access <<EOF\n{\n  "metadata": {\n    "title": "CMSTP UAC Bypass via COM Object Access",\n    "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.privilege_escalation",\n      "attack.execution",\n      "attack.t1088",\n      "attack.t1191",\n      "attack.g0069",\n      "car.2019-04-001"\n    ],\n    "query": "(ParentCommandLine.keyword:*\\\\\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\\\{3E5FC7F9\\\\-9A51\\\\-4367\\\\-9063\\\\-A120244FBEC7\\\\} OR *\\\\{3E000D72\\\\-A845\\\\-4CD9\\\\-BD83\\\\-80C07C3B881F\\\\}))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentCommandLine.keyword:*\\\\\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\\\{3E5FC7F9\\\\-9A51\\\\-4367\\\\-9063\\\\-A120244FBEC7\\\\} OR *\\\\{3E000D72\\\\-A845\\\\-4CD9\\\\-BD83\\\\-80C07C3B881F\\\\}))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'CMSTP UAC Bypass via COM Object Access\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n           Hashes = {{_source.Hashes}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentCommandLine.keyword:*\\\\DllHost.exe AND ParentCommandLine.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentCommandLine="*\\\\DllHost.exe" ParentCommandLine IN ["*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "*{3E000D72-A845-4CD9-BD83-80C07C3B881F}"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\DllHost\\.exe)(?=.*(?:.*.*\\{3E5FC7F9-9A51-4367-9063-A120244FBEC7\\}|.*.*\\{3E000D72-A845-4CD9-BD83-80C07C3B881F\\})))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md b/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
index 1cd863e..5646b81 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_control_panel_item.md
@@ -3,7 +3,7 @@
 | Description          | Detects the use of a control panel item (.cpl) outside of the System32 folder                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1196: Control Panel Items](https://attack.mitre.org/techniques/T1196)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1196: Control Panel Items](../Triggers/T1196.md)</li></ul>  |
 | Severity Level       | critical |
@@ -51,6 +51,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\System32\\\\* OR *%System%*))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Control-Panel-Items <<EOF\n{\n  "metadata": {\n    "title": "Control Panel Items",\n    "description": "Detects the use of a control panel item (.cpl) outside of the System32 folder",\n    "tags": [\n      "attack.execution",\n      "attack.t1196",\n      "attack.defense_evasion"\n    ],\n    "query": "(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\\\\\System32\\\\\\\\* OR *%System%*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\\\\\System32\\\\\\\\* OR *%System%*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Control Panel Items\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*.cpl AND (NOT (CommandLine.keyword:(*\\\\System32\\\\* *%System%*))))
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*.cpl"  -(CommandLine IN ["*\\\\System32\\\\*", "*%System%*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\.cpl)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\System32\\\\.*|.*.*%System%.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md b/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
index d923f92..0ce9f45 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_data_compressed_with_rar.md
@@ -59,6 +59,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\rar.exe AND CommandLine.keyword:*\\ a\\ * AND CommandLine.keyword:*\\-r*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Data-Compressed <<EOF\n{\n  "metadata": {\n    "title": "Data Compressed",\n    "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",\n    "tags": [\n      "attack.exfiltration",\n      "attack.t1002"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\rar.exe AND CommandLine.keyword:*\\\\ a\\\\ * AND CommandLine.keyword:*\\\\-r*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\rar.exe AND CommandLine.keyword:*\\\\ a\\\\ * AND CommandLine.keyword:*\\\\-r*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Data Compressed\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\n             User = {{_source.User}}\\n        LogonGuid = {{_source.LogonGuid}}\\n           Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\rar.exe AND CommandLine.keyword:* a * AND CommandLine.keyword:*\\-r*)
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\rar.exe" CommandLine="* a *" CommandLine="*-r*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\rar\\.exe)(?=.*.* a .*)(?=.*.*-r.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md b/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
index 7fd3ab3..3cacb0d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_dcsync.md
@@ -59,6 +59,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(((EventID:"4662" AND Properties.keyword:(*Replicating\\ Directory\\ Changes\\ All* OR *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window\\ Manager"))) AND (NOT (SubjectUserName.keyword:(NT\\ AUTHORITY* OR *$))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Mimikatz-DC-Sync <<EOF\n{\n  "metadata": {\n    "title": "Mimikatz DC Sync",\n    "description": "Detects Mimikatz DC sync security events",\n    "tags": [\n      "attack.credential_access",\n      "attack.s0002",\n      "attack.t1003"\n    ],\n    "query": "(((EventID:\\"4662\\" AND Properties.keyword:(*Replicating\\\\ Directory\\\\ Changes\\\\ All* OR *1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:\\"Window\\\\ Manager\\"))) AND (NOT (SubjectUserName.keyword:(NT\\\\ AUTHORITY* OR *$))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(((EventID:\\"4662\\" AND Properties.keyword:(*Replicating\\\\ Directory\\\\ Changes\\\\ All* OR *1131f6ad\\\\-9c07\\\\-11d1\\\\-f79f\\\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:\\"Window\\\\ Manager\\"))) AND (NOT (SubjectUserName.keyword:(NT\\\\ AUTHORITY* OR *$))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Mimikatz DC Sync\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(((EventID:"4662" AND Properties.keyword:(*Replicating Directory Changes All* *1131f6ad\\-9c07\\-11d1\\-f79f\\-00c04fc2dcd2*)) AND (NOT (SubjectDomainName:"Window Manager"))) AND (NOT (SubjectUserName.keyword:(NT AUTHORITY* *$))))
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" ((event_id="4662" Properties IN ["*Replicating Directory Changes All*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"])  -(SubjectDomainName="Window Manager"))  -(SubjectUserName IN ["NT AUTHORITY*", "*$"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*(?=.*4662)(?=.*(?:.*.*Replicating Directory Changes All.*|.*.*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2.*))))(?=.*(?!.*(?:.*(?=.*Window Manager))))))(?=.*(?!.*(?:.*(?=.*(?:.*NT AUTHORITY.*|.*.*\\$))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md b/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
index 4bb0588..451dd6d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_disable_event_logging.md
@@ -50,6 +50,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4719" AND AuditPolicyChanges:"removed")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Disabling-Windows-Event-Auditing <<EOF\n{\n  "metadata": {\n    "title": "Disabling Windows Event Auditing",\n    "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off \\"Local Group Policy Object Processing\\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \\"gpedit.msc\\". Please note, that disabling \\"Local Group Policy Object Processing\\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1054"\n    ],\n    "query": "(EventID:\\"4719\\" AND AuditPolicyChanges:\\"removed\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4719\\" AND AuditPolicyChanges:\\"removed\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Disabling Windows Event Auditing\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4719" AND AuditPolicyChanges:"removed")
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4719" AuditPolicyChanges="removed")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4719)(?=.*removed))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md b/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
index c7e6fe9..d550ca5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_encoded_frombase64string.md
@@ -49,6 +49,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Encoded-FromBase64String <<EOF\n{\n  "metadata": {\n    "title": "Encoded FromBase64String",\n    "description": "Detects a base64 encoded FromBase64String keyword in a process command line",\n    "tags": [\n      "attack.t1086",\n      "attack.t1140",\n      "attack.execution",\n      "attack.defense_evasion"\n    ],\n    "query": "CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Encoded FromBase64String\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* *o6RnJvbUJhc2U2NFN0cmluZ* *6OkZyb21CYXNlNjRTdHJpbm*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*OjpGcm9tQmFzZTY0U3RyaW5n*", "*o6RnJvbUJhc2U2NFN0cmluZ*", "*6OkZyb21CYXNlNjRTdHJpbm*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*OjpGcm9tQmFzZTY0U3RyaW5n.*|.*.*o6RnJvbUJhc2U2NFN0cmluZ.*|.*.*6OkZyb21CYXNlNjRTdHJpbm.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md b/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
index 5a70936..d5afec6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_encoded_iex.md
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Encoded-IEX <<EOF\n{\n  "metadata": {\n    "title": "Encoded IEX",\n    "description": "Detects a base64 encoded IEX command string in a process command line",\n    "tags": [\n      "attack.t1086",\n      "attack.t1140",\n      "attack.execution"\n    ],\n    "query": "CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Encoded IEX\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*SUVYIChb* *lFWCAoW* *JRVggKF* *aWV4IChb* *lleCAoW* *pZXggKF* *aWV4IChOZX* *lleCAoTmV3* *pZXggKE5ld* *SUVYIChOZX* *lFWCAoTmV3* *JRVggKE5ld*)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*SUVYIChb*", "*lFWCAoW*", "*JRVggKF*", "*aWV4IChb*", "*lleCAoW*", "*pZXggKF*", "*aWV4IChOZX*", "*lleCAoTmV3*", "*pZXggKE5ld*", "*SUVYIChOZX*", "*lFWCAoTmV3*", "*JRVggKE5ld*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*SUVYIChb.*|.*.*lFWCAoW.*|.*.*JRVggKF.*|.*.*aWV4IChb.*|.*.*lleCAoW.*|.*.*pZXggKF.*|.*.*aWV4IChOZX.*|.*.*lleCAoTmV3.*|.*.*pZXggKE5ld.*|.*.*SUVYIChOZX.*|.*.*lFWCAoTmV3.*|.*.*JRVggKE5ld.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md b/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
index c3c00a7..953d8dc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
@@ -3,7 +3,7 @@
 | Description          | Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul>  |
 | Severity Level       | high |
@@ -52,6 +52,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*\\ cl\\ *\\/Trace* OR CommandLine.keyword:*\\ clear\\-log\\ *\\/Trace* OR CommandLine.keyword:*\\ sl*\\ \\/e\\:false* OR CommandLine.keyword:*\\ set\\-log*\\ \\/e\\:false*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Disable-of-ETW-Trace <<EOF\n{\n  "metadata": {\n    "title": "Disable of ETW Trace",\n    "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.",\n    "tags": [\n      "attack.execution",\n      "attack.t1070",\n      "car.2016-04-002"\n    ],\n    "query": "(CommandLine.keyword:*\\\\ cl\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ clear\\\\-log\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ sl*\\\\ \\\\/e\\\\:false* OR CommandLine.keyword:*\\\\ set\\\\-log*\\\\ \\\\/e\\\\:false*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*\\\\ cl\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ clear\\\\-log\\\\ *\\\\/Trace* OR CommandLine.keyword:*\\\\ sl*\\\\ \\\\/e\\\\:false* OR CommandLine.keyword:*\\\\ set\\\\-log*\\\\ \\\\/e\\\\:false*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Disable of ETW Trace\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:* cl *\\/Trace* OR CommandLine.keyword:* clear\\-log *\\/Trace* OR CommandLine.keyword:* sl* \\/e\\:false* OR CommandLine.keyword:* set\\-log* \\/e\\:false*)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine="* cl */Trace*" OR CommandLine="* clear-log */Trace*" OR CommandLine="* sl* /e:false*" OR CommandLine="* set-log* /e:false*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*.* cl .*/Trace.*|.*.* clear-log .*/Trace.*|.*.* sl.* /e:false.*|.*.* set-log.* /e:false.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
index a776255..a002ca1 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2015_1641.md
@@ -3,7 +3,7 @@
 | Description          | Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | critical |
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\MicroScMgmt.exe\\ )
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploit-for-CVE-2015-1641 <<EOF\n{\n  "metadata": {\n    "title": "Exploit for CVE-2015-1641",\n    "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\MicroScMgmt.exe\\\\ )"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\MicroScMgmt.exe\\\\ )",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Exploit for CVE-2015-1641\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\MicroScMgmt.exe )
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\WINWORD.EXE" Image="*\\\\MicroScMgmt.exe ")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\WINWORD\\.EXE)(?=.*.*\\MicroScMgmt\\.exe ))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
index a4173be..531bf9a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_0261.md
@@ -3,7 +3,7 @@
 | Description          | Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
 | Severity Level       | medium |
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\FLTLDR.exe*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploit-for-CVE-2017-0261 <<EOF\n{\n  "metadata": {\n    "title": "Exploit for CVE-2017-0261",\n    "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.privilege_escalation",\n      "attack.t1055"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\FLTLDR.exe*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\FLTLDR.exe*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Exploit for CVE-2017-0261\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\FLTLDR.exe*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\WINWORD.EXE" Image="*\\\\FLTLDR.exe*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\WINWORD\\.EXE)(?=.*.*\\FLTLDR\\.exe.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
index f01c192..b03a060 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_11882.md
@@ -3,7 +3,7 @@
 | Description          | Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1211: Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1211: Exploitation for Defense Evasion](../Triggers/T1211.md)</li></ul>  |
 | Severity Level       | critical |
@@ -49,6 +49,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+ParentImage.keyword:*\\\\EQNEDT32.EXE
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Droppers-exploiting-CVE-2017-11882 <<EOF\n{\n  "metadata": {\n    "title": "Droppers exploiting CVE-2017-11882",\n    "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1211"\n    ],\n    "query": "ParentImage.keyword:*\\\\\\\\EQNEDT32.EXE"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "ParentImage.keyword:*\\\\\\\\EQNEDT32.EXE",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Droppers exploiting CVE-2017-11882\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nCommandLine = {{_source.CommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+ParentImage.keyword:*\\\\EQNEDT32.EXE
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ ParentImage="*\\\\EQNEDT32.EXE" | table CommandLine
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\EQNEDT32.EXE")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\EQNEDT32\\.EXE'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
index af7e90d..92d54b7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2017_8759.md
@@ -3,7 +3,7 @@
 | Description          | Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1203: Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1203: Exploitation for Client Execution](../Triggers/T1203.md)</li></ul>  |
 | Severity Level       | critical |
@@ -47,6 +47,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\csc.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploit-for-CVE-2017-8759 <<EOF\n{\n  "metadata": {\n    "title": "Exploit for CVE-2017-8759",\n    "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759",\n    "tags": [\n      "attack.execution",\n      "attack.t1203"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\csc.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\WINWORD.EXE AND Image.keyword:*\\\\\\\\csc.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Exploit for CVE-2017-8759\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\WINWORD.EXE AND Image.keyword:*\\\\csc.exe)
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\WINWORD.EXE" Image="*\\\\csc.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\WINWORD\\.EXE)(?=.*.*\\csc\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md
index 11dc9fb..c40f35a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1378.md
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentCommandLine.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploiting-SetupComplete.cmd-CVE-2019-1378 <<EOF\n{\n  "metadata": {\n    "title": "Exploiting SetupComplete.cmd CVE-2019-1378",\n    "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.privilege_escalation",\n      "attack.t1055"\n    ],\n    "query": "(ParentCommandLine.keyword:(*\\\\\\\\cmd.exe\\\\ \\\\/c\\\\ C\\\\:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\Scripts\\\\\\\\SetupComplete.cmd OR *\\\\\\\\cmd.exe\\\\ \\\\/c\\\\ C\\\\:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\Scripts\\\\\\\\PartnerSetupComplete.cmd) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentCommandLine.keyword:(*\\\\\\\\cmd.exe\\\\ \\\\/c\\\\ C\\\\:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\Scripts\\\\\\\\SetupComplete.cmd OR *\\\\\\\\cmd.exe\\\\ \\\\/c\\\\ C\\\\:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\Scripts\\\\\\\\PartnerSetupComplete.cmd) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Exploiting SetupComplete.cmd CVE-2019-1378\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentCommandLine.keyword:(*\\\\cmd.exe \\/c C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd *\\\\cmd.exe \\/c C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* C\\:\\\\Windows\\\\SysWOW64\\\\* C\\:\\\\Windows\\\\WinSxS\\\\* C\\:\\\\Windows\\\\Setup\\\\*))))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentCommandLine IN ["*\\\\cmd.exe /c C:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd", "*\\\\cmd.exe /c C:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd"]  -(Image IN ["C:\\\\Windows\\\\System32\\\\*", "C:\\\\Windows\\\\SysWOW64\\\\*", "C:\\\\Windows\\\\WinSxS\\\\*", "C:\\\\Windows\\\\Setup\\\\*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\cmd\\.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete\\.cmd|.*.*\\cmd\\.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete\\.cmd))(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*|.*C:\\Windows\\SysWOW64\\\\.*|.*C:\\Windows\\WinSxS\\\\.*|.*C:\\Windows\\Setup\\\\.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md
index f53ec68..7574a21 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2019_1388.md
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:*\\\\consent.exe AND Image.keyword:*\\\\iexplore.exe AND CommandLine.keyword:*\\ http*) AND (IntegrityLevel:"System" OR User:"NT\\ AUTHORITY\\\\SYSTEM"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Exploiting-CVE-2019-1388 <<EOF\n{\n  "metadata": {\n    "title": "Exploiting CVE-2019-1388",\n    "description": "Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.t1068"\n    ],\n    "query": "((ParentImage.keyword:*\\\\\\\\consent.exe AND Image.keyword:*\\\\\\\\iexplore.exe AND CommandLine.keyword:*\\\\ http*) AND (IntegrityLevel:\\"System\\" OR User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:*\\\\\\\\consent.exe AND Image.keyword:*\\\\\\\\iexplore.exe AND CommandLine.keyword:*\\\\ http*) AND (IntegrityLevel:\\"System\\" OR User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Exploiting CVE-2019-1388\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:*\\\\consent.exe AND Image.keyword:*\\\\iexplore.exe AND CommandLine.keyword:* http*) AND (IntegrityLevel:"System" OR User:"NT AUTHORITY\\\\SYSTEM"))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\consent.exe" Image="*\\\\iexplore.exe" CommandLine="* http*" (IntegrityLevel="System" OR User="NT AUTHORITY\\\\SYSTEM"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\consent\\.exe)(?=.*.*\\iexplore\\.exe)(?=.*.* http.*)))(?=.*(?:.*(?:.*System|.*NT AUTHORITY\\SYSTEM))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
index 42a31e2..afaadf6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_hack_rubeus.md
@@ -3,7 +3,7 @@
 | Description          | Detects command line parameters used by Rubeus hack tool                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | critical |
@@ -55,6 +55,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rubeus-Hack-Tool <<EOF\n{\n  "metadata": {\n    "title": "Rubeus Hack Tool",\n    "description": "Detects command line parameters used by Rubeus hack tool",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003",\n      "attack.s0005"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ asreproast\\\\ * OR *\\\\ dump\\\\ \\\\/service\\\\:krbtgt\\\\ * OR *\\\\ kerberoast\\\\ * OR *\\\\ createnetonly\\\\ \\\\/program\\\\:* OR *\\\\ ptt\\\\ \\\\/ticket\\\\:* OR *\\\\ \\\\/impersonateuser\\\\:* OR *\\\\ renew\\\\ \\\\/ticket\\\\:* OR *\\\\ asktgt\\\\ \\\\/user\\\\:* OR *\\\\ harvest\\\\ \\\\/interval\\\\:*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ asreproast\\\\ * OR *\\\\ dump\\\\ \\\\/service\\\\:krbtgt\\\\ * OR *\\\\ kerberoast\\\\ * OR *\\\\ createnetonly\\\\ \\\\/program\\\\:* OR *\\\\ ptt\\\\ \\\\/ticket\\\\:* OR *\\\\ \\\\/impersonateuser\\\\:* OR *\\\\ renew\\\\ \\\\/ticket\\\\:* OR *\\\\ asktgt\\\\ \\\\/user\\\\:* OR *\\\\ harvest\\\\ \\\\/interval\\\\:*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Rubeus Hack Tool\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* asreproast * * dump \\/service\\:krbtgt * * kerberoast * * createnetonly \\/program\\:* * ptt \\/ticket\\:* * \\/impersonateuser\\:* * renew \\/ticket\\:* * asktgt \\/user\\:* * harvest \\/interval\\:*)
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* asreproast *", "* dump /service:krbtgt *", "* kerberoast *", "* createnetonly /program:*", "* ptt /ticket:*", "* /impersonateuser:*", "* renew /ticket:*", "* asktgt /user:*", "* harvest /interval:*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* asreproast .*|.*.* dump /service:krbtgt .*|.*.* kerberoast .*|.*.* createnetonly /program:.*|.*.* ptt /ticket:.*|.*.* /impersonateuser:.*|.*.* renew /ticket:.*|.*.* asktgt /user:.*|.*.* harvest /interval:.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
index dfacf7b..dab513f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_hack_smbexec.md
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:"7045" AND ServiceName:"BTOBTO" AND ServiceFileName.keyword:*\\\\execute.bat)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/smbexec.py-Service-Installation <<EOF\n{\n  "metadata": {\n    "title": "smbexec.py Service Installation",\n    "description": "Detects the use of smbexec.py tool by detecting a specific service installation",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.execution",\n      "attack.t1077",\n      "attack.t1035"\n    ],\n    "query": "(EventID:\\"7045\\" AND ServiceName:\\"BTOBTO\\" AND ServiceFileName.keyword:*\\\\\\\\execute.bat)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"7045\\" AND ServiceName:\\"BTOBTO\\" AND ServiceFileName.keyword:*\\\\\\\\execute.bat)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'smbexec.py Service Installation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n    ServiceName = {{_source.ServiceName}}\\nServiceFileName = {{_source.ServiceFileName}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"7045" AND ServiceName:"BTOBTO" AND ServiceFileName.keyword:*\\\\execute.bat)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" service="BTOBTO" ServiceFileName="*\\\\execute.bat")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*7045)(?=.*BTOBTO)(?=.*.*\\execute\\.bat))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md b/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md
index 0cefa4d..14da4a5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_hwp_exploits.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li><li>[T1193: Spearphishing Attachment](../Triggers/T1193.md)</li></ul>  |
 | Severity Level       | high |
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\Hwp.exe AND Image.keyword:*\\\\gbb.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-HWP-Sub-Processes <<EOF\n{\n  "metadata": {\n    "title": "Suspicious HWP Sub Processes",\n    "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation",\n    "tags": [\n      "attack.execution",\n      "attack.defense_evasion",\n      "attack.initial_access",\n      "attack.t1059",\n      "attack.t1202",\n      "attack.t1193",\n      "attack.g0032"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\Hwp.exe AND Image.keyword:*\\\\\\\\gbb.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\Hwp.exe AND Image.keyword:*\\\\\\\\gbb.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious HWP Sub Processes\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\Hwp.exe AND Image.keyword:*\\\\gbb.exe)
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\Hwp.exe" Image="*\\\\gbb.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\Hwp\\.exe)(?=.*.*\\gbb\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md b/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md
index 64dd7ce..787950b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_impacket_lateralization.md
@@ -83,6 +83,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND CommandLine.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (ParentCommandLine.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND CommandLine.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Impacket-Lateralization-Detection <<EOF\n{\n  "metadata": {\n    "title": "Impacket Lateralization Detection",\n    "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1047",\n      "attack.t1175"\n    ],\n    "query": "((ParentImage.keyword:(*\\\\\\\\wmiprvse.exe OR *\\\\\\\\mmc.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\services.exe) AND CommandLine.keyword:(*cmd.exe*\\\\ \\\\/Q\\\\ \\\\/c\\\\ *\\\\ \\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\*&1*)) OR (ParentCommandLine.keyword:(*svchost.exe\\\\ \\\\-k\\\\ netsvcs OR taskeng.exe*) AND CommandLine.keyword:(cmd.exe\\\\ \\\\/C\\\\ *Windows\\\\\\\\Temp\\\\\\\\*&1)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:(*\\\\\\\\wmiprvse.exe OR *\\\\\\\\mmc.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\services.exe) AND CommandLine.keyword:(*cmd.exe*\\\\ \\\\/Q\\\\ \\\\/c\\\\ *\\\\ \\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\*&1*)) OR (ParentCommandLine.keyword:(*svchost.exe\\\\ \\\\-k\\\\ netsvcs OR taskeng.exe*) AND CommandLine.keyword:(cmd.exe\\\\ \\\\/C\\\\ *Windows\\\\\\\\Temp\\\\\\\\*&1)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Impacket Lateralization Detection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:(*\\\\wmiprvse.exe *\\\\mmc.exe *\\\\explorer.exe *\\\\services.exe) AND CommandLine.keyword:(*cmd.exe* \\/Q \\/c * \\\\\\\\127.0.0.1\\\\*&1*)) OR (ParentCommandLine.keyword:(*svchost.exe \\-k netsvcs taskeng.exe*) AND CommandLine.keyword:(cmd.exe \\/C *Windows\\\\Temp\\\\*&1)))
+```
+
+
 ### splunk
     
 ```
@@ -90,4 +111,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((ParentImage IN ["*\\\\wmiprvse.exe", "*\\\\mmc.exe", "*\\\\explorer.exe", "*\\\\services.exe"] CommandLine IN ["*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*"]) OR (ParentCommandLine IN ["*svchost.exe -k netsvcs", "taskeng.exe*"] CommandLine IN ["cmd.exe /C *Windows\\\\Temp\\\\*&1"])))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*\\wmiprvse\\.exe|.*.*\\mmc\\.exe|.*.*\\explorer\\.exe|.*.*\\services\\.exe))(?=.*(?:.*.*cmd\\.exe.* /Q /c .* \\\\\\\\127\\.0\\.0\\.1\\\\.*&1.*)))|.*(?:.*(?=.*(?:.*.*svchost\\.exe -k netsvcs|.*taskeng\\.exe.*))(?=.*(?:.*cmd\\.exe /C .*Windows\\\\Temp\\\\.*&1)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
index de2eba3..792df76 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_impacket_secretdump.md
@@ -47,6 +47,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\\\*.tmp)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Impacket-SecretDump-remote-activity <<EOF\n{\n  "metadata": {\n    "title": "Possible Impacket SecretDump remote activity",\n    "description": "Detect AD credential dumping using impacket secretdump HKTL",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\\\\\\\*.tmp)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\\\\\\\*.tmp)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Impacket SecretDump remote activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\ADMIN$ AND RelativeTargetName.keyword:SYSTEM32\\\\*.tmp)
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\\\*\\\\ADMIN$" RelativeTargetName="SYSTEM32\\\\*.tmp")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*5145)(?=.*\\\\.*\\ADMIN\\$)(?=.*SYSTEM32\\\\.*\\.tmp))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md b/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md
index 7c60a21..e866063 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_install_reg_debugger_backdoor.md
@@ -3,7 +3,7 @@
 | Description          | Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1015: Accessibility Features](https://attack.mitre.org/techniques/T1015)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1015: Accessibility Features](../Triggers/T1015.md)</li></ul>  |
 | Severity Level       | high |
@@ -54,6 +54,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Debugger-Registration-Cmdline <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Debugger Registration Cmdline",\n    "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1015"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\sethc.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\utilman.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\osk.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\magnify.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\narrator.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\displayswitch.exe*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\sethc.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\utilman.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\osk.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\magnify.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\narrator.exe* OR *\\\\\\\\CurrentVersion\\\\\\\\Image\\\\ File\\\\ Execution\\\\ Options\\\\\\\\displayswitch.exe*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Debugger Registration Cmdline\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe* *\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe* *\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe* *\\\\CurrentVersion\\\\Image File Execution Options\\\\magnify.exe* *\\\\CurrentVersion\\\\Image File Execution Options\\\\narrator.exe* *\\\\CurrentVersion\\\\Image File Execution Options\\\\displayswitch.exe*)
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe*", "*\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe*", "*\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe*", "*\\\\CurrentVersion\\\\Image File Execution Options\\\\magnify.exe*", "*\\\\CurrentVersion\\\\Image File Execution Options\\\\narrator.exe*", "*\\\\CurrentVersion\\\\Image File Execution Options\\\\displayswitch.exe*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\CurrentVersion\\Image File Execution Options\\sethc\\.exe.*|.*.*\\CurrentVersion\\Image File Execution Options\\utilman\\.exe.*|.*.*\\CurrentVersion\\Image File Execution Options\\osk\\.exe.*|.*.*\\CurrentVersion\\Image File Execution Options\\magnify\\.exe.*|.*.*\\CurrentVersion\\Image File Execution Options\\narrator\\.exe.*|.*.*\\CurrentVersion\\Image File Execution Options\\displayswitch\\.exe.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_kernel_and_3rd_party_drivers_exploits_token_stealing.md b/Atomic_Threat_Coverage/Detection_Rules/win_kernel_and_3rd_party_drivers_exploits_token_stealing.md
index afde55b..146b9f9 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_kernel_and_3rd_party_drivers_exploits_token_stealing.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_kernel_and_3rd_party_drivers_exploits_token_stealing.md
@@ -50,6 +50,27 @@ enrichment:
 
 
 
+### es-qs
+    
+```
+(ParentIntegrityLevel:"Medium" AND IntegrityLevel:"System" AND User:"NT\\ AUTHORITY\\\\SYSTEM")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-Kernel-and-3rd-party-drivers-exploits.-Token-stealing <<EOF\n{\n  "metadata": {\n    "title": "Windows Kernel and 3rd-party drivers exploits. Token stealing",\n    "description": "Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.t1068"\n    ],\n    "query": "(ParentIntegrityLevel:\\"Medium\\" AND IntegrityLevel:\\"System\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentIntegrityLevel:\\"Medium\\" AND IntegrityLevel:\\"System\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Windows Kernel and 3rd-party drivers exploits. Token stealing\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentIntegrityLevel:"Medium" AND IntegrityLevel:"System" AND User:"NT AUTHORITY\\\\SYSTEM")
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ enrichment:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentIntegrityLevel="Medium" IntegrityLevel="System" User="NT AUTHORITY\\\\SYSTEM")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*Medium)(?=.*System)(?=.*NT AUTHORITY\\SYSTEM))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md b/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
index ee17def..280a7f6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_lethalhta.md
@@ -3,7 +3,7 @@
 | Description          | Detects MSHTA.EXE spwaned by SVCHOST described in report                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul>  |
 | Severity Level       | high |
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\svchost.exe AND Image.keyword:*\\\\mshta.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MSHTA-spwaned-by-SVCHOST-as-seen-in-LethalHTA <<EOF\n{\n  "metadata": {\n    "title": "MSHTA spwaned by SVCHOST as seen in LethalHTA",\n    "description": "Detects MSHTA.EXE spwaned by SVCHOST described in report",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1170"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\svchost.exe AND Image.keyword:*\\\\\\\\mshta.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\svchost.exe AND Image.keyword:*\\\\\\\\mshta.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MSHTA spwaned by SVCHOST as seen in LethalHTA\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\svchost.exe AND Image.keyword:*\\\\mshta.exe)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\svchost.exe" Image="*\\\\mshta.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\svchost\\.exe)(?=.*.*\\mshta\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md b/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
index e4e00fb..7ee9d4f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_lm_namedpipe.md
@@ -61,6 +61,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$) AND (NOT (EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:("atsvc" OR "samr" OR "lsarpc" OR "winreg" OR "netlogon" OR "srvsvc" OR "protected_storage" OR "wkssvc" OR "browser" OR "netdfs"))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/First-time-seen-remote-named-pipe <<EOF\n{\n  "metadata": {\n    "title": "First time seen remote named pipe",\n    "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1077"\n    ],\n    "query": "((EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$) AND (NOT (EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:(\\"atsvc\\" OR \\"samr\\" OR \\"lsarpc\\" OR \\"winreg\\" OR \\"netlogon\\" OR \\"srvsvc\\" OR \\"protected_storage\\" OR \\"wkssvc\\" OR \\"browser\\" OR \\"netdfs\\"))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$) AND (NOT (EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:(\\"atsvc\\" OR \\"samr\\" OR \\"lsarpc\\" OR \\"winreg\\" OR \\"netlogon\\" OR \\"srvsvc\\" OR \\"protected_storage\\" OR \\"wkssvc\\" OR \\"browser\\" OR \\"netdfs\\"))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'First time seen remote named pipe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$) AND (NOT (EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:("atsvc" "samr" "lsarpc" "winreg" "netlogon" "srvsvc" "protected_storage" "wkssvc" "browser" "netdfs"))))
+```
+
+
 ### splunk
     
 ```
@@ -68,4 +89,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id="5145" ShareName="\\\\*\\\\IPC$")  -(event_id="5145" ShareName="\\\\*\\\\IPC$" RelativeTargetName IN ["atsvc", "samr", "lsarpc", "winreg", "netlogon", "srvsvc", "protected_storage", "wkssvc", "browser", "netdfs"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)))(?=.*(?!.*(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)(?=.*(?:.*atsvc|.*samr|.*lsarpc|.*winreg|.*netlogon|.*srvsvc|.*protected_storage|.*wkssvc|.*browser|.*netdfs))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md b/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md
index a197bd7..dfd0ef4 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_local_system_owner_account_discovery.md
@@ -86,6 +86,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\whoami.exe OR (Image.keyword:*\\\\wmic.exe AND CommandLine.keyword:*useraccount* AND CommandLine.keyword:*get*) OR Image.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (Image.keyword:*\\\\cmdkey.exe AND CommandLine.keyword:*\\/list*) OR (Image.keyword:*\\\\cmd.exe AND CommandLine.keyword:*\\/c* AND CommandLine.keyword:*dir* AND CommandLine.keyword:*\\\\Users\\*)) OR ((Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND CommandLine.keyword:*user*) AND (NOT (CommandLine.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*)))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Local-accounts-discovery <<EOF\n{\n  "metadata": {\n    "title": "Local accounts discovery",\n    "description": "Local accounts, System Owner/User discovery using operating systems utilities",\n    "tags": [\n      "attack.discovery",\n      "attack.t1033",\n      "attack.t1087"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\whoami.exe OR (Image.keyword:*\\\\\\\\wmic.exe AND CommandLine.keyword:*useraccount* AND CommandLine.keyword:*get*) OR Image.keyword:(*\\\\\\\\quser.exe OR *\\\\\\\\qwinsta.exe) OR (Image.keyword:*\\\\\\\\cmdkey.exe AND CommandLine.keyword:*\\\\/list*) OR (Image.keyword:*\\\\\\\\cmd.exe AND CommandLine.keyword:*\\\\/c* AND CommandLine.keyword:*dir* AND CommandLine.keyword:*\\\\\\\\Users\\\\*)) OR ((Image.keyword:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe) AND CommandLine.keyword:*user*) AND (NOT (CommandLine.keyword:(*\\\\/domain* OR *\\\\/add* OR *\\\\/delete* OR *\\\\/active* OR *\\\\/expires* OR *\\\\/passwordreq* OR *\\\\/scriptpath* OR *\\\\/times* OR *\\\\/workstations*)))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\whoami.exe OR (Image.keyword:*\\\\\\\\wmic.exe AND CommandLine.keyword:*useraccount* AND CommandLine.keyword:*get*) OR Image.keyword:(*\\\\\\\\quser.exe OR *\\\\\\\\qwinsta.exe) OR (Image.keyword:*\\\\\\\\cmdkey.exe AND CommandLine.keyword:*\\\\/list*) OR (Image.keyword:*\\\\\\\\cmd.exe AND CommandLine.keyword:*\\\\/c* AND CommandLine.keyword:*dir* AND CommandLine.keyword:*\\\\\\\\Users\\\\*)) OR ((Image.keyword:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe) AND CommandLine.keyword:*user*) AND (NOT (CommandLine.keyword:(*\\\\/domain* OR *\\\\/add* OR *\\\\/delete* OR *\\\\/active* OR *\\\\/expires* OR *\\\\/passwordreq* OR *\\\\/scriptpath* OR *\\\\/times* OR *\\\\/workstations*)))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Local accounts discovery\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\n             User = {{_source.User}}\\n        LogonGuid = {{_source.LogonGuid}}\\n           Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\whoami.exe OR (Image.keyword:*\\\\wmic.exe AND CommandLine.keyword:*useraccount* AND CommandLine.keyword:*get*) OR Image.keyword:(*\\\\quser.exe *\\\\qwinsta.exe) OR (Image.keyword:*\\\\cmdkey.exe AND CommandLine.keyword:*\\/list*) OR (Image.keyword:*\\\\cmd.exe AND CommandLine.keyword:*\\/c* AND CommandLine.keyword:*dir* AND CommandLine.keyword:*\\\\Users\\*)) OR ((Image.keyword:(*\\\\net.exe *\\\\net1.exe) AND CommandLine.keyword:*user*) AND (NOT (CommandLine.keyword:(*\\/domain* *\\/add* *\\/delete* *\\/active* *\\/expires* *\\/passwordreq* *\\/scriptpath* *\\/times* *\\/workstations*)))))
+```
+
+
 ### splunk
     
 ```
@@ -93,4 +114,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((Image="*\\\\whoami.exe" OR (Image="*\\\\wmic.exe" CommandLine="*useraccount*" CommandLine="*get*") OR Image IN ["*\\\\quser.exe", "*\\\\qwinsta.exe"] OR (Image="*\\\\cmdkey.exe" CommandLine="*/list*") OR (Image="*\\\\cmd.exe" CommandLine="*/c*" CommandLine="*dir*" CommandLine="*\\\\Users\\*")) OR (event_id="1" (Image IN ["*\\\\net.exe", "*\\\\net1.exe"] CommandLine="*user*")  -(CommandLine IN ["*/domain*", "*/add*", "*/delete*", "*/active*", "*/expires*", "*/passwordreq*", "*/scriptpath*", "*/times*", "*/workstations*"]))))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?:.*.*\\whoami\\.exe|.*(?:.*(?=.*.*\\wmic\\.exe)(?=.*.*useraccount.*)(?=.*.*get.*))|.*(?:.*.*\\quser\\.exe|.*.*\\qwinsta\\.exe)|.*(?:.*(?=.*.*\\cmdkey\\.exe)(?=.*.*/list.*))|.*(?:.*(?=.*.*\\cmd\\.exe)(?=.*.*/c.*)(?=.*.*dir.*)(?=.*.*\\Users\\.*))))|.*(?:.*(?=.*(?:.*(?=.*(?:.*.*\\net\\.exe|.*.*\\net1\\.exe))(?=.*.*user.*)))(?=.*(?!.*(?:.*(?=.*(?:.*.*/domain.*|.*.*/add.*|.*.*/delete.*|.*.*/active.*|.*.*/expires.*|.*.*/passwordreq.*|.*.*/scriptpath.*|.*.*/times.*|.*.*/workstations.*))))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
index 6adcf2d..fbb4f0b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mal_adwind.md
@@ -3,7 +3,7 @@
 | Description          | Detects javaw.exe in AppData folder as used by Adwind / JRAT                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul>  |
 | Severity Level       | high |
@@ -70,6 +70,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle*\\\\java*.exe\\ * OR *cscript.exe\\ *Retrive*.vbs\\ *)\n(EventID:"11" AND TargetFilename.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java*.exe OR *\\\\Retrive*.vbs))\n(EventID:"13" AND TargetObject.keyword:\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND Details.keyword:%AppData%\\\\Roaming\\\\Oracle\\\\bin\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Adwind-RAT-/-JRAT <<EOF\n{\n  "metadata": {\n    "title": "Adwind RAT / JRAT",\n    "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",\n    "tags": [\n      "attack.execution",\n      "attack.t1064"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Oracle*\\\\\\\\java*.exe\\\\ * OR *cscript.exe\\\\ *Retrive*.vbs\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Oracle*\\\\\\\\java*.exe\\\\ * OR *cscript.exe\\\\ *Retrive*.vbs\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Adwind RAT / JRAT\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Adwind-RAT-/-JRAT-2 <<EOF\n{\n  "metadata": {\n    "title": "Adwind RAT / JRAT",\n    "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",\n    "tags": [\n      "attack.execution",\n      "attack.t1064"\n    ],\n    "query": "(EventID:\\"11\\" AND TargetFilename.keyword:(*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Oracle\\\\\\\\bin\\\\\\\\java*.exe OR *\\\\\\\\Retrive*.vbs))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"11\\" AND TargetFilename.keyword:(*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Oracle\\\\\\\\bin\\\\\\\\java*.exe OR *\\\\\\\\Retrive*.vbs))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Adwind RAT / JRAT\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Adwind-RAT-/-JRAT-3 <<EOF\n{\n  "metadata": {\n    "title": "Adwind RAT / JRAT",\n    "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",\n    "tags": [\n      "attack.execution",\n      "attack.t1064"\n    ],\n    "query": "(EventID:\\"13\\" AND TargetObject.keyword:\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run* AND Details.keyword:%AppData%\\\\\\\\Roaming\\\\\\\\Oracle\\\\\\\\bin\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND TargetObject.keyword:\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run* AND Details.keyword:%AppData%\\\\\\\\Roaming\\\\\\\\Oracle\\\\\\\\bin\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Adwind RAT / JRAT\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle*\\\\java*.exe * *cscript.exe *Retrive*.vbs *)\n(EventID:"11" AND TargetFilename.keyword:(*\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java*.exe *\\\\Retrive*.vbs))\n(EventID:"13" AND TargetObject.keyword:\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND Details.keyword:%AppData%\\\\Roaming\\\\Oracle\\\\bin\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -77,4 +98,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\AppData\\\\Roaming\\\\Oracle*\\\\java*.exe *", "*cscript.exe *Retrive*.vbs *"])\n(event_id="11" TargetFilename IN ["*\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java*.exe", "*\\\\Retrive*.vbs"])\n(event_id="13" TargetObject="\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run*" Details="%AppData%\\\\Roaming\\\\Oracle\\\\bin\\\\*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\AppData\\Roaming\\Oracle.*\\java.*\\.exe .*|.*.*cscript\\.exe .*Retrive.*\\.vbs .*)'\ngrep -P '^(?:.*(?=.*11)(?=.*(?:.*.*\\AppData\\Roaming\\Oracle\\bin\\java.*\\.exe|.*.*\\Retrive.*\\.vbs)))'\ngrep -P '^(?:.*(?=.*13)(?=.*\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*)(?=.*%AppData%\\Roaming\\Oracle\\bin\\\\.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
index b6a787f..a6f0538 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mal_creddumper.md
@@ -3,7 +3,7 @@
 | Description          | This method detects well-known keywords of malicious services in the Windows System Eventlog                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0083_16_access_history_in_hive_was_cleared](../Data_Needed/DN_0083_16_access_history_in_hive_was_cleared.md)</li><li>[DN_0063_4697_service_was_installed_in_the_system](../Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | high |
@@ -60,6 +60,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+((Message.keyword:(*WCE\\ SERVICE* OR *WCESERVICE* OR *DumpSvc*) AND (EventID:("7045") OR EventID:"4697")) OR (EventID:"16" AND HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM*.dmp))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-Service-Install <<EOF\n{\n  "metadata": {\n    "title": "Malicious Service Install",\n    "description": "This method detects well-known keywords of malicious services in the Windows System Eventlog",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003",\n      "attack.s0005"\n    ],\n    "query": "((Message.keyword:(*WCE\\\\ SERVICE* OR *WCESERVICE* OR *DumpSvc*) AND (EventID:(\\"7045\\") OR EventID:\\"4697\\")) OR (EventID:\\"16\\" AND HiveName.keyword:*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SAM*.dmp))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Message.keyword:(*WCE\\\\ SERVICE* OR *WCESERVICE* OR *DumpSvc*) AND (EventID:(\\"7045\\") OR EventID:\\"4697\\")) OR (EventID:\\"16\\" AND HiveName.keyword:*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SAM*.dmp))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Malicious Service Install\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Message.keyword:(*WCE SERVICE* *WCESERVICE* *DumpSvc*) AND (EventID:("7045") OR EventID:"4697")) OR (EventID:"16" AND HiveName.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM*.dmp))
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" ((event_source="Microsoft-Windows-Security-Auditing" Message IN ["*WCE SERVICE*", "*WCESERVICE*", "*DumpSvc*"] (event_id IN ["7045"] OR event_id="4697")) OR (event_id="16" HiveName="*\\\\AppData\\\\Local\\\\Temp\\\\SAM*.dmp")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.*WCE SERVICE.*|.*.*WCESERVICE.*|.*.*DumpSvc.*))(?=.*(?:.*(?:.*(?:.*7045)|.*4697))))|.*(?:.*(?=.*16)(?=.*.*\\AppData\\Local\\Temp\\SAM.*\\.dmp))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md
index 78df2ce..8172499 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mal_ryuk.md
@@ -3,7 +3,7 @@
 | Description          | Detects Ryuk Ransomware command lines                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -46,6 +46,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\net.exe\\ stop\\ \\"samss\\"\\ * OR *\\\\net.exe\\ stop\\ \\"audioendpointbuilder\\"\\ * OR *\\\\net.exe\\ stop\\ \\"unistoresvc_?????\\"\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Ryuk-Ransomware <<EOF\n{\n  "metadata": {\n    "title": "Ryuk Ransomware",\n    "description": "Detects Ryuk Ransomware command lines",\n    "tags": "",\n    "query": "CommandLine.keyword:(*\\\\\\\\net.exe\\\\ stop\\\\ \\\\\\"samss\\\\\\"\\\\ * OR *\\\\\\\\net.exe\\\\ stop\\\\ \\\\\\"audioendpointbuilder\\\\\\"\\\\ * OR *\\\\\\\\net.exe\\\\ stop\\\\ \\\\\\"unistoresvc_?????\\\\\\"\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\net.exe\\\\ stop\\\\ \\\\\\"samss\\\\\\"\\\\ * OR *\\\\\\\\net.exe\\\\ stop\\\\ \\\\\\"audioendpointbuilder\\\\\\"\\\\ * OR *\\\\\\\\net.exe\\\\ stop\\\\ \\\\\\"unistoresvc_?????\\\\\\"\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Ryuk Ransomware\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\net.exe stop \\"samss\\" * *\\\\net.exe stop \\"audioendpointbuilder\\" * *\\\\net.exe stop \\"unistoresvc_?????\\" *)
+```
+
+
 ### splunk
     
 ```
@@ -53,4 +74,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\net.exe stop \\"samss\\" *", "*\\\\net.exe stop \\"audioendpointbuilder\\" *", "*\\\\net.exe stop \\"unistoresvc_?????\\" *"])
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*.*\\net\\.exe stop "samss" .*|.*.*\\net\\.exe stop "audioendpointbuilder" .*|.*.*\\net\\.exe stop "unistoresvc_?????" .*)\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
index cbb506a..2401c91 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mal_service_installs.md
@@ -63,6 +63,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:"7045" AND (ServiceName:("WCESERVICE" OR "WCE\\ SERVICE") OR ServiceFileName.keyword:*\\\\PAExec* OR ServiceFileName.keyword:winexesvc.exe* OR ServiceFileName.keyword:*\\\\DumpSvc.exe OR ServiceName:"mssecsvc2.0" OR ServiceFileName.keyword:*\\ net\\ user\\ * OR ServiceName.keyword:(pwdump* OR gsecdump* OR cachedump*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-Service-Installations <<EOF\n{\n  "metadata": {\n    "title": "Malicious Service Installations",\n    "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1050",\n      "car.2013-09-005"\n    ],\n    "query": "(EventID:\\"7045\\" AND (ServiceName:(\\"WCESERVICE\\" OR \\"WCE\\\\ SERVICE\\") OR ServiceFileName.keyword:*\\\\\\\\PAExec* OR ServiceFileName.keyword:winexesvc.exe* OR ServiceFileName.keyword:*\\\\\\\\DumpSvc.exe OR ServiceName:\\"mssecsvc2.0\\" OR ServiceFileName.keyword:*\\\\ net\\\\ user\\\\ * OR ServiceName.keyword:(pwdump* OR gsecdump* OR cachedump*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"7045\\" AND (ServiceName:(\\"WCESERVICE\\" OR \\"WCE\\\\ SERVICE\\") OR ServiceFileName.keyword:*\\\\\\\\PAExec* OR ServiceFileName.keyword:winexesvc.exe* OR ServiceFileName.keyword:*\\\\\\\\DumpSvc.exe OR ServiceName:\\"mssecsvc2.0\\" OR ServiceFileName.keyword:*\\\\ net\\\\ user\\\\ * OR ServiceName.keyword:(pwdump* OR gsecdump* OR cachedump*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Malicious Service Installations\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"7045" AND (ServiceName:("WCESERVICE" "WCE SERVICE") OR ServiceFileName.keyword:*\\\\PAExec* OR ServiceFileName.keyword:winexesvc.exe* OR ServiceFileName.keyword:*\\\\DumpSvc.exe OR ServiceName:"mssecsvc2.0" OR ServiceFileName.keyword:* net user * OR ServiceName.keyword:(pwdump* gsecdump* cachedump*)))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="7045" (service IN ["WCESERVICE", "WCE SERVICE"] OR ServiceFileName="*\\\\PAExec*" OR ServiceFileName="winexesvc.exe*" OR ServiceFileName="*\\\\DumpSvc.exe" OR service="mssecsvc2.0" OR ServiceFileName="* net user *" OR service IN ["pwdump*", "gsecdump*", "cachedump*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*7045)(?=.*(?:.*(?:.*(?:.*WCESERVICE|.*WCE SERVICE)|.*.*\\PAExec.*|.*winexesvc\\.exe.*|.*.*\\DumpSvc\\.exe|.*mssecsvc2\\.0|.*.* net user .*|.*(?:.*pwdump.*|.*gsecdump.*|.*cachedump.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md
index c898bb8..71b4831 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mal_ursnif.md
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:"13" AND TargetObject.keyword:*\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Ursnif <<EOF\n{\n  "metadata": {\n    "title": "Ursnif",\n    "description": "Detects new registry key created by Ursnif malware.",\n    "tags": [\n      "attack.execution",\n      "attack.t1112"\n    ],\n    "query": "(EventID:\\"13\\" AND TargetObject.keyword:*\\\\\\\\Software\\\\\\\\AppDataLow\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND TargetObject.keyword:*\\\\\\\\Software\\\\\\\\AppDataLow\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Ursnif\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"13" AND TargetObject.keyword:*\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="13" TargetObject="*\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*13)(?=.*.*\\Software\\AppDataLow\\Software\\Microsoft\\\\.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md b/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
index 0d22671..b1258e7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mal_wceaux_dll.md
@@ -3,7 +3,7 @@
 | Description          | Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0062_4663_attempt_was_made_to_access_an_object](../Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md)</li><li>[DN_0061_4660_object_was_deleted](../Data_Needed/DN_0061_4660_object_was_deleted.md)</li><li>[DN_0058_4656_handle_to_an_object_was_requested](../Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md)</li><li>[DN_0060_4658_handle_to_an_object_was_closed](../Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0060_4658_handle_to_an_object_was_closed](../Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md)</li><li>[DN_0062_4663_attempt_was_made_to_access_an_object](../Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md)</li><li>[DN_0061_4660_object_was_deleted](../Data_Needed/DN_0061_4660_object_was_deleted.md)</li><li>[DN_0058_4656_handle_to_an_object_was_requested](../Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | critical |
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:("4656" OR "4658" OR "4660" OR "4663") AND ObjectName.keyword:*\\\\wceaux.dll)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WCE-wceaux.dll-Access <<EOF\n{\n  "metadata": {\n    "title": "WCE wceaux.dll Access",\n    "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003",\n      "attack.s0005"\n    ],\n    "query": "(EventID:(\\"4656\\" OR \\"4658\\" OR \\"4660\\" OR \\"4663\\") AND ObjectName.keyword:*\\\\\\\\wceaux.dll)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"4656\\" OR \\"4658\\" OR \\"4660\\" OR \\"4663\\") AND ObjectName.keyword:*\\\\\\\\wceaux.dll)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WCE wceaux.dll Access\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("4656" "4658" "4660" "4663") AND ObjectName.keyword:*\\\\wceaux.dll)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4656", "4658", "4660", "4663"] ObjectName="*\\\\wceaux.dll")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*4656|.*4658|.*4660|.*4663))(?=.*.*\\wceaux\\.dll))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
index 8a2669f..2ae06ca 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_dridex.md
@@ -3,7 +3,7 @@
 | Description          | Detects typical Dridex process patterns                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li></ul>  |
 | Severity Level       | critical |
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (ParentImage.keyword:*\\\\svchost.exe* AND CommandLine.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Dridex-Process-Pattern <<EOF\n{\n  "metadata": {\n    "title": "Dridex Process Pattern",\n    "description": "Detects typical Dridex process patterns",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.privilege_escalation",\n      "attack.t1055"\n    ],\n    "query": "(CommandLine.keyword:*\\\\\\\\svchost.exe\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\* OR (ParentImage.keyword:*\\\\\\\\svchost.exe* AND CommandLine.keyword:(*whoami.exe\\\\ \\\\/all OR *net.exe\\\\ view)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*\\\\\\\\svchost.exe\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\* OR (ParentImage.keyword:*\\\\\\\\svchost.exe* AND CommandLine.keyword:(*whoami.exe\\\\ \\\\/all OR *net.exe\\\\ view)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Dridex Process Pattern\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*\\\\svchost.exe C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (ParentImage.keyword:*\\\\svchost.exe* AND CommandLine.keyword:(*whoami.exe \\/all *net.exe view)))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine="*\\\\svchost.exe C:\\\\Users\\\\*\\\\Desktop\\\\*" OR (ParentImage="*\\\\svchost.exe*" CommandLine IN ["*whoami.exe /all", "*net.exe view"])))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*.*\\svchost\\.exe C:\\Users\\\\.*\\Desktop\\\\.*|.*(?:.*(?=.*.*\\svchost\\.exe.*)(?=.*(?:.*.*whoami\\.exe /all|.*.*net\\.exe view)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
index 4ad5c9a..53956fc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
@@ -3,7 +3,7 @@
 | Description          | Detects specific process parameters as seen in DTRACK infections                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:*\\ echo\\ EEEE\\ \\ *
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/DTRACK-Process-Creation <<EOF\n{\n  "metadata": {\n    "title": "DTRACK Process Creation",\n    "description": "Detects specific process parameters as seen in DTRACK infections",\n    "tags": "",\n    "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ \\\\ *"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ \\\\ *",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'DTRACK Process Creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:* echo EEEE  *
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ CommandLine="* echo EEEE > *" | table CommandLine,ParentCommandLine
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="* echo EEEE > *")
+```
+
+
+### grep
+    
+```
+grep -P '^.* echo EEEE > .*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md
index a8efb45..2f1f97e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_emotet.md
@@ -3,7 +3,7 @@
 | Description          | Detects all Emotet like process executions that are not covered by the more generic rules                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -56,6 +56,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Emotet-Process-Creation <<EOF\n{\n  "metadata": {\n    "title": "Emotet Process Creation",\n    "description": "Detects all Emotet like process executions that are not covered by the more generic rules",\n    "tags": "",\n    "query": "CommandLine.keyword:(*\\\\ \\\\-e*\\\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ \\\\-e*\\\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Emotet Process Creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* \\-e* PAA* *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* *IgAoACcAKgAnACkAOwAkA* *IAKAAnACoAJwApADsAJA* *iACgAJwAqACcAKQA7ACQA*)
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* -e* PAA*", "*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*", "*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*", "*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*", "*IgAoACcAKgAnACkAOwAkA*", "*IAKAAnACoAJwApADsAJA*", "*iACgAJwAqACcAKQA7ACQA*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* -e.* PAA.*|.*.*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ.*|.*.*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA.*|.*.*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA.*|.*.*IgAoACcAKgAnACkAOwAkA.*|.*.*IAKAAnACoAJwApADsAJA.*|.*.*iACgAJwAqACcAKQA7ACQA.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
index 3aeb977..30f8348 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
@@ -60,6 +60,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(*\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Formbook-Process-Creation <<EOF\n{\n  "metadata": {\n    "title": "Formbook Process Creation",\n    "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.",\n    "tags": "",\n    "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ \\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ \\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Formbook Process Creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(* \\/c del \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe * \\/c del \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe * \\/C type nul  \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentCommandLine IN ["C:\\\\Windows\\\\System32\\\\*.exe", "C:\\\\Windows\\\\SysWOW64\\\\*.exe"] CommandLine IN ["* /c del \\"C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe", "* /c del \\"C:\\\\Users\\\\*\\\\Desktop\\\\*.exe", "* /C type nul > \\"C:\\\\Users\\\\*\\\\Desktop\\\\*.exe"])
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*\\.exe|.*C:\\Windows\\SysWOW64\\\\.*\\.exe))(?=.*(?:.*.* /c del "C:\\Users\\\\.*\\AppData\\Local\\Temp\\\\.*\\.exe|.*.* /c del "C:\\Users\\\\.*\\Desktop\\\\.*\\.exe|.*.* /C type nul > "C:\\Users\\\\.*\\Desktop\\\\.*\\.exe)))\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
index 9485828..09fd964 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_notpetya.md
@@ -3,7 +3,7 @@
 | Description          | Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | critical |
@@ -60,6 +60,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (Image.keyword:*\\\\rundll32.exe AND CommandLine.keyword:*.dat,#1) OR *\\\\perfc.dat*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/NotPetya-Ransomware-Activity <<EOF\n{\n  "metadata": {\n    "title": "NotPetya Ransomware Activity",\n    "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil",\n    "tags": [\n      "attack.execution",\n      "attack.credential_access",\n      "attack.defense_evasion",\n      "attack.t1085",\n      "attack.t1070",\n      "attack.t1003",\n      "car.2016-04-002"\n    ],\n    "query": "(CommandLine.keyword:*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\ \\\\\\\\.\\\\\\\\pipe\\\\\\\\* OR (Image.keyword:*\\\\\\\\rundll32.exe AND CommandLine.keyword:*.dat,#1) OR *\\\\\\\\perfc.dat*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\ \\\\\\\\.\\\\\\\\pipe\\\\\\\\* OR (Image.keyword:*\\\\\\\\rundll32.exe AND CommandLine.keyword:*.dat,#1) OR *\\\\\\\\perfc.dat*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'NotPetya Ransomware Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\* \\\\.\\\\pipe\\\\* OR (Image.keyword:*\\\\rundll32.exe AND CommandLine.keyword:*.dat,#1) OR *\\\\perfc.dat*)
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine="*\\\\AppData\\\\Local\\\\Temp\\\\* \\\\.\\\\pipe\\\\*" OR (Image="*\\\\rundll32.exe" CommandLine="*.dat,#1") OR "*\\\\perfc.dat*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*.*\\AppData\\Local\\Temp\\\\.* \\\\\\.\\pipe\\\\.*|.*(?:.*(?=.*.*\\rundll32\\.exe)(?=.*.*\\.dat,#1))|.*.*\\perfc\\.dat.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md
index bb1e37c..6602528 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_qbot.md
@@ -3,7 +3,7 @@
 | Description          | Detects QBot like process executions                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -50,6 +50,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:*\\\\WinRAR.exe AND Image.keyword:*\\\\wscript.exe) OR CommandLine.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/QBot-Process-Creation <<EOF\n{\n  "metadata": {\n    "title": "QBot Process Creation",\n    "description": "Detects QBot like process executions",\n    "tags": "",\n    "query": "((ParentImage.keyword:*\\\\\\\\WinRAR.exe AND Image.keyword:*\\\\\\\\wscript.exe) OR CommandLine.keyword:*\\\\ \\\\/c\\\\ ping.exe\\\\ \\\\-n\\\\ 6\\\\ 127.0.0.1\\\\ &\\\\ type\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:*\\\\\\\\WinRAR.exe AND Image.keyword:*\\\\\\\\wscript.exe) OR CommandLine.keyword:*\\\\ \\\\/c\\\\ ping.exe\\\\ \\\\-n\\\\ 6\\\\ 127.0.0.1\\\\ &\\\\ type\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'QBot Process Creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:*\\\\WinRAR.exe AND Image.keyword:*\\\\wscript.exe) OR CommandLine.keyword:* \\/c ping.exe \\-n 6 127.0.0.1 & type *)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((ParentImage="*\\\\WinRAR.exe" Image="*\\\\wscript.exe") OR CommandLine="* /c ping.exe -n 6 127.0.0.1 & type *"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*.*\\WinRAR\\.exe)(?=.*.*\\wscript\\.exe))|.*.* /c ping\\.exe -n 6 127\\.0\\.0\\.1 & type .*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
index 3d4c330..da63ff7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_script_dropper.md
@@ -3,7 +3,7 @@
 | Description          | Detects wscript/cscript executions of scripts located in user directories                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul>  |
 | Severity Level       | high |
@@ -63,6 +63,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND CommandLine.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (ParentImage.keyword:*\\\\winzip*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WScript-or-CScript-Dropper <<EOF\n{\n  "metadata": {\n    "title": "WScript or CScript Dropper",\n    "description": "Detects wscript/cscript executions of scripts located in user directories",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1064"\n    ],\n    "query": "((Image.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND CommandLine.keyword:(*\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.jse\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.vbe\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.js\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.vba\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.vbs\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.jse\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.vbe\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.js\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.vba\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.vbs\\\\ *)) AND (NOT (ParentImage.keyword:*\\\\\\\\winzip*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND CommandLine.keyword:(*\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.jse\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.vbe\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.js\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.vba\\\\ * OR *\\\\ C\\\\:\\\\\\\\Users\\\\\\\\*.vbs\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.jse\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.vbe\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.js\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.vba\\\\ * OR *\\\\ C\\\\:\\\\\\\\ProgramData\\\\\\\\*.vbs\\\\ *)) AND (NOT (ParentImage.keyword:*\\\\\\\\winzip*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WScript or CScript Dropper\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:(*\\\\wscript.exe *\\\\cscript.exe) AND CommandLine.keyword:(* C\\:\\\\Users\\\\*.jse * * C\\:\\\\Users\\\\*.vbe * * C\\:\\\\Users\\\\*.js * * C\\:\\\\Users\\\\*.vba * * C\\:\\\\Users\\\\*.vbs * * C\\:\\\\ProgramData\\\\*.jse * * C\\:\\\\ProgramData\\\\*.vbe * * C\\:\\\\ProgramData\\\\*.js * * C\\:\\\\ProgramData\\\\*.vba * * C\\:\\\\ProgramData\\\\*.vbs *)) AND (NOT (ParentImage.keyword:*\\\\winzip*)))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image IN ["*\\\\wscript.exe", "*\\\\cscript.exe"] CommandLine IN ["* C:\\\\Users\\\\*.jse *", "* C:\\\\Users\\\\*.vbe *", "* C:\\\\Users\\\\*.js *", "* C:\\\\Users\\\\*.vba *", "* C:\\\\Users\\\\*.vbs *", "* C:\\\\ProgramData\\\\*.jse *", "* C:\\\\ProgramData\\\\*.vbe *", "* C:\\\\ProgramData\\\\*.js *", "* C:\\\\ProgramData\\\\*.vba *", "* C:\\\\ProgramData\\\\*.vbs *"])  -(ParentImage="*\\\\winzip*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\\wscript\\.exe|.*.*\\cscript\\.exe))(?=.*(?:.*.* C:\\Users\\\\.*\\.jse .*|.*.* C:\\Users\\\\.*\\.vbe .*|.*.* C:\\Users\\\\.*\\.js .*|.*.* C:\\Users\\\\.*\\.vba .*|.*.* C:\\Users\\\\.*\\.vbs .*|.*.* C:\\ProgramData\\\\.*\\.jse .*|.*.* C:\\ProgramData\\\\.*\\.vbe .*|.*.* C:\\ProgramData\\\\.*\\.js .*|.*.* C:\\ProgramData\\\\.*\\.vba .*|.*.* C:\\ProgramData\\\\.*\\.vbs .*))))(?=.*(?!.*(?:.*(?=.*.*\\winzip.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md b/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
index 3346c13..a478756 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_malware_wannacry.md
@@ -3,7 +3,7 @@
 | Description          | Detects WannaCry ransomware activity                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -63,6 +63,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR CommandLine.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WannaCry-Ransomware <<EOF\n{\n  "metadata": {\n    "title": "WannaCry Ransomware",\n    "description": "Detects WannaCry ransomware activity",\n    "tags": "",\n    "query": "(Image.keyword:(*\\\\\\\\tasksche.exe OR *\\\\\\\\mssecsvc.exe OR *\\\\\\\\taskdl.exe OR *\\\\\\\\@WanaDecryptor@* OR *\\\\\\\\WanaDecryptor* OR *\\\\\\\\taskhsvc.exe OR *\\\\\\\\taskse.exe OR *\\\\\\\\111.exe OR *\\\\\\\\lhdfrgui.exe OR *\\\\\\\\diskpart.exe OR *\\\\\\\\linuxnew.exe OR *\\\\\\\\wannacry.exe) OR CommandLine.keyword:(*icacls\\\\ *\\\\ \\\\/grant\\\\ Everyone\\\\:F\\\\ \\\\/T\\\\ \\\\/C\\\\ \\\\/Q* OR *bcdedit\\\\ \\\\/set\\\\ \\\\{default\\\\}\\\\ recoveryenabled\\\\ no* OR *wbadmin\\\\ delete\\\\ catalog\\\\ \\\\-quiet* OR *@Please_Read_Me@.txt*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\tasksche.exe OR *\\\\\\\\mssecsvc.exe OR *\\\\\\\\taskdl.exe OR *\\\\\\\\@WanaDecryptor@* OR *\\\\\\\\WanaDecryptor* OR *\\\\\\\\taskhsvc.exe OR *\\\\\\\\taskse.exe OR *\\\\\\\\111.exe OR *\\\\\\\\lhdfrgui.exe OR *\\\\\\\\diskpart.exe OR *\\\\\\\\linuxnew.exe OR *\\\\\\\\wannacry.exe) OR CommandLine.keyword:(*icacls\\\\ *\\\\ \\\\/grant\\\\ Everyone\\\\:F\\\\ \\\\/T\\\\ \\\\/C\\\\ \\\\/Q* OR *bcdedit\\\\ \\\\/set\\\\ \\\\{default\\\\}\\\\ recoveryenabled\\\\ no* OR *wbadmin\\\\ delete\\\\ catalog\\\\ \\\\-quiet* OR *@Please_Read_Me@.txt*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WannaCry Ransomware\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\tasksche.exe *\\\\mssecsvc.exe *\\\\taskdl.exe *\\\\@WanaDecryptor@* *\\\\WanaDecryptor* *\\\\taskhsvc.exe *\\\\taskse.exe *\\\\111.exe *\\\\lhdfrgui.exe *\\\\diskpart.exe *\\\\linuxnew.exe *\\\\wannacry.exe) OR CommandLine.keyword:(*icacls * \\/grant Everyone\\:F \\/T \\/C \\/Q* *bcdedit \\/set \\{default\\} recoveryenabled no* *wbadmin delete catalog \\-quiet* *@Please_Read_Me@.txt*))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image IN ["*\\\\tasksche.exe", "*\\\\mssecsvc.exe", "*\\\\taskdl.exe", "*\\\\@WanaDecryptor@*", "*\\\\WanaDecryptor*", "*\\\\taskhsvc.exe", "*\\\\taskse.exe", "*\\\\111.exe", "*\\\\lhdfrgui.exe", "*\\\\diskpart.exe", "*\\\\linuxnew.exe", "*\\\\wannacry.exe"] OR CommandLine IN ["*icacls * /grant Everyone:F /T /C /Q*", "*bcdedit /set {default} recoveryenabled no*", "*wbadmin delete catalog -quiet*", "*@Please_Read_Me@.txt*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*.*\\tasksche\\.exe|.*.*\\mssecsvc\\.exe|.*.*\\taskdl\\.exe|.*.*\\@WanaDecryptor@.*|.*.*\\WanaDecryptor.*|.*.*\\taskhsvc\\.exe|.*.*\\taskse\\.exe|.*.*\\111\\.exe|.*.*\\lhdfrgui\\.exe|.*.*\\diskpart\\.exe|.*.*\\linuxnew\\.exe|.*.*\\wannacry\\.exe)|.*(?:.*.*icacls .* /grant Everyone:F /T /C /Q.*|.*.*bcdedit /set \\{default\\} recoveryenabled no.*|.*.*wbadmin delete catalog -quiet.*|.*.*@Please_Read_Me@\\.txt.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md b/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
index af6ebbe..a3b3943 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mavinject_proc_inj.md
@@ -3,7 +3,7 @@
 | Description          | Detects process injection using the signed Windows tool Mavinject32.exe                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique | <ul><li>[T1055: Process Injection](https://attack.mitre.org/techniques/T1055)</li><li>[T1218: Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1055: Process Injection](../Triggers/T1055.md)</li><li>[T1218: Signed Binary Proxy Execution](../Triggers/T1218.md)</li></ul>  |
 | Severity Level       | critical |
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:*\\ \\/INJECTRUNNING\\ *
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MavInject-Process-Injection <<EOF\n{\n  "metadata": {\n    "title": "MavInject Process Injection",\n    "description": "Detects process injection using the signed Windows tool Mavinject32.exe",\n    "tags": [\n      "attack.t1055",\n      "attack.t1218"\n    ],\n    "query": "CommandLine.keyword:*\\\\ \\\\/INJECTRUNNING\\\\ *"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*\\\\ \\\\/INJECTRUNNING\\\\ *",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MavInject Process Injection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:* \\/INJECTRUNNING *
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ CommandLine="* /INJECTRUNNING *"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="* /INJECTRUNNING *")
+```
+
+
+### grep
+    
+```
+grep -P '^.* /INJECTRUNNING .*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md b/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md
index 2247a96..0962516 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mmc_spawn_shell.md
@@ -3,7 +3,7 @@
 | Description          | Detects a Windows command line executable started from MMC.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1175: Component Object Model and Distributed COM](https://attack.mitre.org/techniques/T1175)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1175: Component Object Model and Distributed COM](../Triggers/T1175.md)</li></ul>  |
 | Severity Level       | high |
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\mmc.exe AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MMC-Spawning-Windows-Shell <<EOF\n{\n  "metadata": {\n    "title": "MMC Spawning Windows Shell",\n    "description": "Detects a Windows command line executable started from MMC.",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1175"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\mmc.exe AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\reg.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\BITSADMIN*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\mmc.exe AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\reg.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\BITSADMIN*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MMC Spawning Windows Shell\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\n            Image = {{_source.Image}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\mmc.exe AND Image.keyword:(*\\\\cmd.exe *\\\\powershell.exe *\\\\wscript.exe *\\\\cscript.exe *\\\\sh.exe *\\\\bash.exe *\\\\reg.exe *\\\\regsvr32.exe *\\\\BITSADMIN*))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\mmc.exe" Image IN ["*\\\\cmd.exe", "*\\\\powershell.exe", "*\\\\wscript.exe", "*\\\\cscript.exe", "*\\\\sh.exe", "*\\\\bash.exe", "*\\\\reg.exe", "*\\\\regsvr32.exe", "*\\\\BITSADMIN*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\mmc\\.exe)(?=.*(?:.*.*\\cmd\\.exe|.*.*\\powershell\\.exe|.*.*\\wscript\\.exe|.*.*\\cscript\\.exe|.*.*\\sh\\.exe|.*.*\\bash\\.exe|.*.*\\reg\\.exe|.*.*\\regsvr32\\.exe|.*.*\\BITSADMIN.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md b/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
index 3c5d2fd..0056732 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_mshta_spawn_shell.md
@@ -3,7 +3,7 @@
 | Description          | Detects a Windows command line executable started from MSHTA.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1170: Mshta](https://attack.mitre.org/techniques/T1170)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1170: Mshta](../Triggers/T1170.md)</li></ul>  |
 | Severity Level       | high |
@@ -63,6 +63,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\mshta.exe AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MSHTA-Spawning-Windows-Shell <<EOF\n{\n  "metadata": {\n    "title": "MSHTA Spawning Windows Shell",\n    "description": "Detects a Windows command line executable started from MSHTA.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1170",\n      "car.2013-02-003",\n      "car.2013-03-001",\n      "car.2014-04-003"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\mshta.exe AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\reg.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\BITSADMIN*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\mshta.exe AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\reg.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\BITSADMIN*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MSHTA Spawning Windows Shell\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\mshta.exe AND Image.keyword:(*\\\\cmd.exe *\\\\powershell.exe *\\\\wscript.exe *\\\\cscript.exe *\\\\sh.exe *\\\\bash.exe *\\\\reg.exe *\\\\regsvr32.exe *\\\\BITSADMIN*))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\mshta.exe" Image IN ["*\\\\cmd.exe", "*\\\\powershell.exe", "*\\\\wscript.exe", "*\\\\cscript.exe", "*\\\\sh.exe", "*\\\\bash.exe", "*\\\\reg.exe", "*\\\\regsvr32.exe", "*\\\\BITSADMIN*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\mshta\\.exe)(?=.*(?:.*.*\\cmd\\.exe|.*.*\\powershell\\.exe|.*.*\\wscript\\.exe|.*.*\\cscript\\.exe|.*.*\\sh\\.exe|.*.*\\bash\\.exe|.*.*\\reg\\.exe|.*.*\\regsvr32\\.exe|.*.*\\BITSADMIN.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md b/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
index fcccb37..5a10149 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
@@ -3,7 +3,7 @@
 | Description          | Detects multiple suspicious process in a limited timeframe                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | low |
@@ -84,6 +84,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Quick-Execution-of-a-Series-of-Suspicious-Commands <<EOF\n{\n  "metadata": {\n    "title": "Quick Execution of a Series of Suspicious Commands",\n    "description": "Detects multiple suspicious process in a limited timeframe",\n    "tags": [\n      "car.2013-04-002"\n    ],\n    "query": "CommandLine:(\\"arp.exe\\" OR \\"at.exe\\" OR \\"attrib.exe\\" OR \\"cscript.exe\\" OR \\"dsquery.exe\\" OR \\"hostname.exe\\" OR \\"ipconfig.exe\\" OR \\"mimikatz.exe\\" OR \\"nbtstat.exe\\" OR \\"net.exe\\" OR \\"netsh.exe\\" OR \\"nslookup.exe\\" OR \\"ping.exe\\" OR \\"quser.exe\\" OR \\"qwinsta.exe\\" OR \\"reg.exe\\" OR \\"runas.exe\\" OR \\"sc.exe\\" OR \\"schtasks.exe\\" OR \\"ssh.exe\\" OR \\"systeminfo.exe\\" OR \\"taskkill.exe\\" OR \\"telnet.exe\\" OR \\"tracert.exe\\" OR \\"wscript.exe\\" OR \\"xcopy.exe\\" OR \\"pscp.exe\\" OR \\"copy.exe\\" OR \\"robocopy.exe\\" OR \\"certutil.exe\\" OR \\"vssadmin.exe\\" OR \\"powershell.exe\\" OR \\"wevtutil.exe\\" OR \\"psexec.exe\\" OR \\"bcedit.exe\\" OR \\"wbadmin.exe\\" OR \\"icacls.exe\\" OR \\"diskpart.exe\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "5m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine:(\\"arp.exe\\" OR \\"at.exe\\" OR \\"attrib.exe\\" OR \\"cscript.exe\\" OR \\"dsquery.exe\\" OR \\"hostname.exe\\" OR \\"ipconfig.exe\\" OR \\"mimikatz.exe\\" OR \\"nbtstat.exe\\" OR \\"net.exe\\" OR \\"netsh.exe\\" OR \\"nslookup.exe\\" OR \\"ping.exe\\" OR \\"quser.exe\\" OR \\"qwinsta.exe\\" OR \\"reg.exe\\" OR \\"runas.exe\\" OR \\"sc.exe\\" OR \\"schtasks.exe\\" OR \\"ssh.exe\\" OR \\"systeminfo.exe\\" OR \\"taskkill.exe\\" OR \\"telnet.exe\\" OR \\"tracert.exe\\" OR \\"wscript.exe\\" OR \\"xcopy.exe\\" OR \\"pscp.exe\\" OR \\"copy.exe\\" OR \\"robocopy.exe\\" OR \\"certutil.exe\\" OR \\"vssadmin.exe\\" OR \\"powershell.exe\\" OR \\"wevtutil.exe\\" OR \\"psexec.exe\\" OR \\"bcedit.exe\\" OR \\"wbadmin.exe\\" OR \\"icacls.exe\\" OR \\"diskpart.exe\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "MachineName.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "desc"\n                },\n                "min_doc_count": 6\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.doc_count": {\n        "gt": 5\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Quick Execution of a Series of Suspicious Commands\'",\n        "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -91,4 +112,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["arp.exe", "at.exe", "attrib.exe", "cscript.exe", "dsquery.exe", "hostname.exe", "ipconfig.exe", "mimikatz.exe", "nbtstat.exe", "net.exe", "netsh.exe", "nslookup.exe", "ping.exe", "quser.exe", "qwinsta.exe", "reg.exe", "runas.exe", "sc.exe", "schtasks.exe", "ssh.exe", "systeminfo.exe", "taskkill.exe", "telnet.exe", "tracert.exe", "wscript.exe", "xcopy.exe", "pscp.exe", "copy.exe", "robocopy.exe", "certutil.exe", "vssadmin.exe", "powershell.exe", "wevtutil.exe", "psexec.exe", "bcedit.exe", "wbadmin.exe", "icacls.exe", "diskpart.exe"]) | chart count() as val by MachineName | search val > 5
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*arp\\.exe|.*at\\.exe|.*attrib\\.exe|.*cscript\\.exe|.*dsquery\\.exe|.*hostname\\.exe|.*ipconfig\\.exe|.*mimikatz\\.exe|.*nbtstat\\.exe|.*net\\.exe|.*netsh\\.exe|.*nslookup\\.exe|.*ping\\.exe|.*quser\\.exe|.*qwinsta\\.exe|.*reg\\.exe|.*runas\\.exe|.*sc\\.exe|.*schtasks\\.exe|.*ssh\\.exe|.*systeminfo\\.exe|.*taskkill\\.exe|.*telnet\\.exe|.*tracert\\.exe|.*wscript\\.exe|.*xcopy\\.exe|.*pscp\\.exe|.*copy\\.exe|.*robocopy\\.exe|.*certutil\\.exe|.*vssadmin\\.exe|.*powershell\\.exe|.*wevtutil\\.exe|.*psexec\\.exe|.*bcedit\\.exe|.*wbadmin\\.exe|.*icacls\\.exe|.*diskpart\\.exe)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md b/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
index b065a34..5f19f6a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_net_ntlm_downgrade.md
@@ -3,7 +3,7 @@
 | Description          | Detects post exploitation using NetNTLM downgrade attacks                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0059_4657_registry_value_was_modified](../Data_Needed/DN_0059_4657_registry_value_was_modified.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0059_4657_registry_value_was_modified](../Data_Needed/DN_0059_4657_registry_value_was_modified.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1212: Exploitation for Credential Access](../Triggers/T1212.md)</li></ul>  |
 | Severity Level       | critical |
@@ -66,6 +66,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+(EventID:"13" AND TargetObject.keyword:(*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\lmcompatibilitylevel OR *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\NtlmMinClientSec OR *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\RestrictSendingNTLMTraffic))\n(EventID:"4657" AND ObjectName.keyword:\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa AND ObjectValueName:("LmCompatibilityLevel" OR "NtlmMinClientSec" OR "RestrictSendingNTLMTraffic"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/NetNTLM-Downgrade-Attack <<EOF\n{\n  "metadata": {\n    "title": "NetNTLM Downgrade Attack",\n    "description": "Detects post exploitation using NetNTLM downgrade attacks",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1212"\n    ],\n    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\lmcompatibilitylevel OR *SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\NtlmMinClientSec OR *SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\RestrictSendingNTLMTraffic))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"13\\" AND TargetObject.keyword:(*SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\lmcompatibilitylevel OR *SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\NtlmMinClientSec OR *SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\RestrictSendingNTLMTraffic))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'NetNTLM Downgrade Attack\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/NetNTLM-Downgrade-Attack-2 <<EOF\n{\n  "metadata": {\n    "title": "NetNTLM Downgrade Attack",\n    "description": "Detects post exploitation using NetNTLM downgrade attacks",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1212"\n    ],\n    "query": "(EventID:\\"4657\\" AND ObjectName.keyword:\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa AND ObjectValueName:(\\"LmCompatibilityLevel\\" OR \\"NtlmMinClientSec\\" OR \\"RestrictSendingNTLMTraffic\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4657\\" AND ObjectName.keyword:\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa AND ObjectValueName:(\\"LmCompatibilityLevel\\" OR \\"NtlmMinClientSec\\" OR \\"RestrictSendingNTLMTraffic\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'NetNTLM Downgrade Attack\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"13" AND TargetObject.keyword:(*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\lmcompatibilitylevel *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\NtlmMinClientSec *SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\RestrictSendingNTLMTraffic))\n(EventID:"4657" AND ObjectName.keyword:\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa AND ObjectValueName:("LmCompatibilityLevel" "NtlmMinClientSec" "RestrictSendingNTLMTraffic"))
+```
+
+
 ### splunk
     
 ```
@@ -73,4 +94,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="13" TargetObject IN ["*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\lmcompatibilitylevel", "*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\NtlmMinClientSec", "*SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\RestrictSendingNTLMTraffic"])\n(event_source="Microsoft-Windows-Security-Auditing" event_id="4657" ObjectName="\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa" ObjectValueName IN ["LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*13)(?=.*(?:.*.*SYSTEM\\\\.*ControlSet.*\\Control\\Lsa\\lmcompatibilitylevel|.*.*SYSTEM\\\\.*ControlSet.*\\Control\\Lsa\\NtlmMinClientSec|.*.*SYSTEM\\\\.*ControlSet.*\\Control\\Lsa\\RestrictSendingNTLMTraffic)))'\ngrep -P '^(?:.*(?=.*4657)(?=.*\\REGISTRY\\MACHINE\\SYSTEM\\\\.*ControlSet.*\\Control\\Lsa)(?=.*(?:.*LmCompatibilityLevel|.*NtlmMinClientSec|.*RestrictSendingNTLMTraffic)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md
index 6084897..a2f63b8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_fw_add.md
@@ -3,7 +3,7 @@
 | Description          | Allow Incoming Connections by Port or Application on Windows Firewall                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1090: Connection Proxy](https://attack.mitre.org/techniques/T1090)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1090: Connection Proxy](../Triggers/T1090.md)</li></ul>  |
 | Severity Level       | medium |
@@ -49,6 +49,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*netsh\\ firewall\\ add*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Netsh <<EOF\n{\n  "metadata": {\n    "title": "Netsh",\n    "description": "Allow Incoming Connections by Port or Application on Windows Firewall",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.command_and_control",\n      "attack.t1090"\n    ],\n    "query": "CommandLine.keyword:(*netsh\\\\ firewall\\\\ add*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*netsh\\\\ firewall\\\\ add*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Netsh\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*netsh firewall add*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*netsh firewall add*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*netsh firewall add.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md
index db30746..de9187e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_packet_capture.md
@@ -49,6 +49,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*netsh* AND CommandLine.keyword:*trace* AND CommandLine.keyword:*start*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Capture-a-Network-Trace-with-netsh.exe <<EOF\n{\n  "metadata": {\n    "title": "Capture a Network Trace with netsh.exe",\n    "description": "Detects capture a network trace via netsh.exe trace functionality",\n    "tags": [\n      "attack.discovery",\n      "attack.t1040"\n    ],\n    "query": "(CommandLine.keyword:*netsh* AND CommandLine.keyword:*trace* AND CommandLine.keyword:*start*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*netsh* AND CommandLine.keyword:*trace* AND CommandLine.keyword:*start*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Capture a Network Trace with netsh.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*netsh* AND CommandLine.keyword:*trace* AND CommandLine.keyword:*start*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*netsh*" CommandLine="*trace*" CommandLine="*start*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*netsh.*)(?=.*.*trace.*)(?=.*.*start.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
index 68b4bb7..9539734 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd.md
@@ -3,7 +3,7 @@
 | Description          | Detects netsh commands that configure a port forwarding                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0011: Command and Control](https://attack.mitre.org/tactics/TA0011)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1090: Connection Proxy](https://attack.mitre.org/techniques/T1090)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1090: Connection Proxy](../Triggers/T1090.md)</li></ul>  |
 | Severity Level       | medium |
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Netsh-Port-Forwarding <<EOF\n{\n  "metadata": {\n    "title": "Netsh Port Forwarding",\n    "description": "Detects netsh commands that configure a port forwarding",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.command_and_control",\n      "attack.t1090"\n    ],\n    "query": "CommandLine.keyword:(netsh\\\\ interface\\\\ portproxy\\\\ add\\\\ v4tov4\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(netsh\\\\ interface\\\\ portproxy\\\\ add\\\\ v4tov4\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Netsh Port Forwarding\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(netsh interface portproxy add v4tov4 *)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["netsh interface portproxy add v4tov4 *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*netsh interface portproxy add v4tov4 .*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
index 9e692d5..0684752 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_netsh_port_fwd_3389.md
@@ -3,7 +3,7 @@
 | Description          | Detects netsh commands that configure a port forwarding of port 3389 used for RDP                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1021: Remote Services](https://attack.mitre.org/techniques/T1021)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1021: Remote Services](../Triggers/T1021.md)</li></ul>  |
 | Severity Level       | high |
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(netsh\\ i*\\ p*\\=3389\\ c*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Netsh-RDP-Port-Forwarding <<EOF\n{\n  "metadata": {\n    "title": "Netsh RDP Port Forwarding",\n    "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1021",\n      "car.2013-07-002"\n    ],\n    "query": "CommandLine.keyword:(netsh\\\\ i*\\\\ p*\\\\=3389\\\\ c*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(netsh\\\\ i*\\\\ p*\\\\=3389\\\\ c*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Netsh RDP Port Forwarding\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(netsh i* p*=3389 c*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["netsh i* p*=3389 c*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*netsh i.* p.*=3389 c.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md b/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md
index f175a20..af9aa24 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_network_sniffing.md
@@ -59,6 +59,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\tshark.exe AND CommandLine.keyword:*\\-i*) OR Image.keyword:*\\\\windump.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Network-Sniffing <<EOF\n{\n  "metadata": {\n    "title": "Network Sniffing",\n    "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.",\n    "tags": [\n      "attack.credential_access",\n      "attack.discovery",\n      "attack.t1040"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\tshark.exe AND CommandLine.keyword:*\\\\-i*) OR Image.keyword:*\\\\\\\\windump.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\tshark.exe AND CommandLine.keyword:*\\\\-i*) OR Image.keyword:*\\\\\\\\windump.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Network Sniffing\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\n             User = {{_source.User}}\\n        LogonGuid = {{_source.LogonGuid}}\\n           Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\tshark.exe AND CommandLine.keyword:*\\-i*) OR Image.keyword:*\\\\windump.exe)
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((Image="*\\\\tshark.exe" CommandLine="*-i*") OR Image="*\\\\windump.exe"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*.*\\tshark\\.exe)(?=.*.*-i.*))|.*.*\\windump\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md b/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
index 5e2d633..f489c51 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_office_shell.md
@@ -3,7 +3,7 @@
 | Description          | Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
 | Severity Level       | high |
@@ -80,6 +80,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Office-Product-Spawning-Windows-Shell <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Office Product Spawning Windows Shell",\n    "description": "Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.",\n    "tags": [\n      "attack.execution",\n      "attack.defense_evasion",\n      "attack.t1059",\n      "attack.t1202",\n      "car.2013-02-003",\n      "car.2014-04-003"\n    ],\n    "query": "(ParentImage.keyword:(*\\\\\\\\WINWORD.EXE OR *\\\\\\\\EXCEL.EXE OR *\\\\\\\\POWERPNT.exe OR *\\\\\\\\MSPUB.exe OR *\\\\\\\\VISIO.exe OR *\\\\\\\\OUTLOOK.EXE) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\scrcons.exe OR *\\\\\\\\schtasks.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\hh.exe OR *\\\\\\\\wmic.exe OR *\\\\\\\\mshta.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\msiexec.exe OR *\\\\\\\\forfiles.exe OR *\\\\\\\\scriptrunner.exe OR *\\\\\\\\mftrace.exe OR *\\\\\\\\AppVLP.exe OR *\\\\\\\\svchost.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:(*\\\\\\\\WINWORD.EXE OR *\\\\\\\\EXCEL.EXE OR *\\\\\\\\POWERPNT.exe OR *\\\\\\\\MSPUB.exe OR *\\\\\\\\VISIO.exe OR *\\\\\\\\OUTLOOK.EXE) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\scrcons.exe OR *\\\\\\\\schtasks.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\hh.exe OR *\\\\\\\\wmic.exe OR *\\\\\\\\mshta.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\msiexec.exe OR *\\\\\\\\forfiles.exe OR *\\\\\\\\scriptrunner.exe OR *\\\\\\\\mftrace.exe OR *\\\\\\\\AppVLP.exe OR *\\\\\\\\svchost.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Office Product Spawning Windows Shell\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:(*\\\\WINWORD.EXE *\\\\EXCEL.EXE *\\\\POWERPNT.exe *\\\\MSPUB.exe *\\\\VISIO.exe *\\\\OUTLOOK.EXE) AND Image.keyword:(*\\\\cmd.exe *\\\\powershell.exe *\\\\wscript.exe *\\\\cscript.exe *\\\\sh.exe *\\\\bash.exe *\\\\scrcons.exe *\\\\schtasks.exe *\\\\regsvr32.exe *\\\\hh.exe *\\\\wmic.exe *\\\\mshta.exe *\\\\rundll32.exe *\\\\msiexec.exe *\\\\forfiles.exe *\\\\scriptrunner.exe *\\\\mftrace.exe *\\\\AppVLP.exe *\\\\svchost.exe))
+```
+
+
 ### splunk
     
 ```
@@ -87,4 +108,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage IN ["*\\\\WINWORD.EXE", "*\\\\EXCEL.EXE", "*\\\\POWERPNT.exe", "*\\\\MSPUB.exe", "*\\\\VISIO.exe", "*\\\\OUTLOOK.EXE"] Image IN ["*\\\\cmd.exe", "*\\\\powershell.exe", "*\\\\wscript.exe", "*\\\\cscript.exe", "*\\\\sh.exe", "*\\\\bash.exe", "*\\\\scrcons.exe", "*\\\\schtasks.exe", "*\\\\regsvr32.exe", "*\\\\hh.exe", "*\\\\wmic.exe", "*\\\\mshta.exe", "*\\\\rundll32.exe", "*\\\\msiexec.exe", "*\\\\forfiles.exe", "*\\\\scriptrunner.exe", "*\\\\mftrace.exe", "*\\\\AppVLP.exe", "*\\\\svchost.exe"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\WINWORD\\.EXE|.*.*\\EXCEL\\.EXE|.*.*\\POWERPNT\\.exe|.*.*\\MSPUB\\.exe|.*.*\\VISIO\\.exe|.*.*\\OUTLOOK\\.EXE))(?=.*(?:.*.*\\cmd\\.exe|.*.*\\powershell\\.exe|.*.*\\wscript\\.exe|.*.*\\cscript\\.exe|.*.*\\sh\\.exe|.*.*\\bash\\.exe|.*.*\\scrcons\\.exe|.*.*\\schtasks\\.exe|.*.*\\regsvr32\\.exe|.*.*\\hh\\.exe|.*.*\\wmic\\.exe|.*.*\\mshta\\.exe|.*.*\\rundll32\\.exe|.*.*\\msiexec\\.exe|.*.*\\forfiles\\.exe|.*.*\\scriptrunner\\.exe|.*.*\\mftrace\\.exe|.*.*\\AppVLP\\.exe|.*.*\\svchost\\.exe)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md b/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md
index 8ca6d1a..774c148 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_office_spawn_exe_from_users_directory.md
@@ -3,7 +3,7 @@
 | Description          | Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
 | Severity Level       | high |
@@ -62,6 +62,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND Image.keyword:(C\\:\\\\users\\\\*.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MS-Office-Product-Spawning-Exe-in-User-Dir <<EOF\n{\n  "metadata": {\n    "title": "MS Office Product Spawning Exe in User Dir",\n    "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio",\n    "tags": [\n      "attack.execution",\n      "attack.defense_evasion",\n      "attack.t1059",\n      "attack.t1202",\n      "FIN7",\n      "car.2013-05-002"\n    ],\n    "query": "(ParentImage.keyword:(*\\\\\\\\WINWORD.EXE OR *\\\\\\\\EXCEL.EXE OR *\\\\\\\\POWERPNT.exe OR *\\\\\\\\MSPUB.exe OR *\\\\\\\\VISIO.exe OR *\\\\\\\\OUTLOOK.EXE) AND Image.keyword:(C\\\\:\\\\\\\\users\\\\\\\\*.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:(*\\\\\\\\WINWORD.EXE OR *\\\\\\\\EXCEL.EXE OR *\\\\\\\\POWERPNT.exe OR *\\\\\\\\MSPUB.exe OR *\\\\\\\\VISIO.exe OR *\\\\\\\\OUTLOOK.EXE) AND Image.keyword:(C\\\\:\\\\\\\\users\\\\\\\\*.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MS Office Product Spawning Exe in User Dir\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:(*\\\\WINWORD.EXE *\\\\EXCEL.EXE *\\\\POWERPNT.exe *\\\\MSPUB.exe *\\\\VISIO.exe *\\\\OUTLOOK.EXE) AND Image.keyword:(C\\:\\\\users\\\\*.exe))
+```
+
+
 ### splunk
     
 ```
@@ -69,4 +90,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage IN ["*\\\\WINWORD.EXE", "*\\\\EXCEL.EXE", "*\\\\POWERPNT.exe", "*\\\\MSPUB.exe", "*\\\\VISIO.exe", "*\\\\OUTLOOK.EXE"] Image IN ["C:\\\\users\\\\*.exe"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\WINWORD\\.EXE|.*.*\\EXCEL\\.EXE|.*.*\\POWERPNT\\.exe|.*.*\\MSPUB\\.exe|.*.*\\VISIO\\.exe|.*.*\\OUTLOOK\\.EXE))(?=.*(?:.*C:\\users\\\\.*\\.exe)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md b/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md
index 7043611..1d43785 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_overpass_the_hash.md
@@ -50,6 +50,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4624" AND LogonType:"9" AND LogonProcessName:"seclogo" AND AuthenticationPackageName:"Negotiate")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Successful-Overpass-the-Hash-Attempt <<EOF\n{\n  "metadata": {\n    "title": "Successful Overpass the Hash Attempt",\n    "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz\'s sekurlsa::pth module.",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1075",\n      "attack.s0002"\n    ],\n    "query": "(EventID:\\"4624\\" AND LogonType:\\"9\\" AND LogonProcessName:\\"seclogo\\" AND AuthenticationPackageName:\\"Negotiate\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4624\\" AND LogonType:\\"9\\" AND LogonProcessName:\\"seclogo\\" AND AuthenticationPackageName:\\"Negotiate\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Successful Overpass the Hash Attempt\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4624" AND LogonType:"9" AND LogonProcessName:"seclogo" AND AuthenticationPackageName:"Negotiate")
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="9" logon_process="seclogo" AuthenticationPackageName="Negotiate")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4624)(?=.*9)(?=.*seclogo)(?=.*Negotiate))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md b/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
index 2d5430c..acdcdfa 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash.md
@@ -3,7 +3,7 @@
 | Description          | Detects the attack technique pass the hash which is used to move laterally inside the network                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1075: Pass the Hash](https://attack.mitre.org/techniques/T1075)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1075: Pass the Hash](../Triggers/T1075.md)</li></ul>  |
 | Severity Level       | medium |
@@ -59,6 +59,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((LogonType:"3" AND LogonProcessName:"NtLmSsp" AND WorkstationName:"%Workstations%" AND ComputerName:"%Workstations%" AND (EventID:"4624" OR EventID:"4625")) AND (NOT (AccountName:"ANONYMOUS\\ LOGON")))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Pass-the-Hash-Activity <<EOF\n{\n  "metadata": {\n    "title": "Pass the Hash Activity",\n    "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1075",\n      "car.2016-04-004"\n    ],\n    "query": "((LogonType:\\"3\\" AND LogonProcessName:\\"NtLmSsp\\" AND WorkstationName:\\"%Workstations%\\" AND ComputerName:\\"%Workstations%\\" AND (EventID:\\"4624\\" OR EventID:\\"4625\\")) AND (NOT (AccountName:\\"ANONYMOUS\\\\ LOGON\\")))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((LogonType:\\"3\\" AND LogonProcessName:\\"NtLmSsp\\" AND WorkstationName:\\"%Workstations%\\" AND ComputerName:\\"%Workstations%\\" AND (EventID:\\"4624\\" OR EventID:\\"4625\\")) AND (NOT (AccountName:\\"ANONYMOUS\\\\ LOGON\\")))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Pass the Hash Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((LogonType:"3" AND LogonProcessName:"NtLmSsp" AND WorkstationName:"%Workstations%" AND ComputerName:"%Workstations%" AND (EventID:"4624" OR EventID:"4625")) AND (NOT (AccountName:"ANONYMOUS LOGON")))
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (logon_type="3" logon_process="NtLmSsp" WorkstationName="%Workstations%" ComputerName="%Workstations%" (event_id="4624" OR event_id="4625"))  -(AccountName="ANONYMOUS LOGON"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*3)(?=.*NtLmSsp)(?=.*%Workstations%)(?=.*%Workstations%)(?=.*(?:.*(?:.*4624|.*4625)))))(?=.*(?!.*(?:.*(?=.*ANONYMOUS LOGON)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md b/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
index c13e731..38bbbf7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_pass_the_hash_2.md
@@ -58,6 +58,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((EventID:"4624" AND ((SubjectUserSid:"S\\-1\\-0\\-0" AND LogonType:"3" AND LogonProcessName:"NtLmSsp" AND KeyLength:"0") OR (LogonType:"9" AND LogonProcessName:"seclogo"))) AND (NOT (AccountName:"ANONYMOUS\\ LOGON")))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Pass-the-Hash-Activity <<EOF\n{\n  "metadata": {\n    "title": "Pass the Hash Activity",\n    "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1075"\n    ],\n    "query": "((EventID:\\"4624\\" AND ((SubjectUserSid:\\"S\\\\-1\\\\-0\\\\-0\\" AND LogonType:\\"3\\" AND LogonProcessName:\\"NtLmSsp\\" AND KeyLength:\\"0\\") OR (LogonType:\\"9\\" AND LogonProcessName:\\"seclogo\\"))) AND (NOT (AccountName:\\"ANONYMOUS\\\\ LOGON\\")))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"4624\\" AND ((SubjectUserSid:\\"S\\\\-1\\\\-0\\\\-0\\" AND LogonType:\\"3\\" AND LogonProcessName:\\"NtLmSsp\\" AND KeyLength:\\"0\\") OR (LogonType:\\"9\\" AND LogonProcessName:\\"seclogo\\"))) AND (NOT (AccountName:\\"ANONYMOUS\\\\ LOGON\\")))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Pass the Hash Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"4624" AND ((SubjectUserSid:"S\\-1\\-0\\-0" AND LogonType:"3" AND LogonProcessName:"NtLmSsp" AND KeyLength:"0") OR (LogonType:"9" AND LogonProcessName:"seclogo"))) AND (NOT (AccountName:"ANONYMOUS LOGON")))
+```
+
+
 ### splunk
     
 ```
@@ -65,4 +86,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id="4624" ((SubjectUserSid="S-1-0-0" logon_type="3" logon_process="NtLmSsp" key_length="0") OR (logon_type="9" logon_process="seclogo")))  -(AccountName="ANONYMOUS LOGON"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*4624)(?=.*(?:.*(?:.*(?:.*(?=.*S-1-0-0)(?=.*3)(?=.*NtLmSsp)(?=.*0))|.*(?:.*(?=.*9)(?=.*seclogo)))))))(?=.*(?!.*(?:.*(?=.*ANONYMOUS LOGON)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md b/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
index 5e6d796..3d29571 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_plugx_susp_exe_locations.md
@@ -3,7 +3,7 @@
 | Description          | Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul>  |
 | Severity Level       | high |
@@ -121,6 +121,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((((((((((((Image.keyword:*\\\\CamMute.exe AND (NOT (Image.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (Image.keyword:*\\\\chrome_frame_helper.exe AND (NOT (Image.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (Image.keyword:*\\\\dvcemumanager.exe AND (NOT (Image.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (Image.keyword:*\\\\Gadget.exe AND (NOT (Image.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (Image.keyword:*\\\\hcc.exe AND (NOT (Image.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (Image.keyword:*\\\\hkcmd.exe AND (NOT (Image.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (Image.keyword:*\\\\Mc.exe AND (NOT (Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (Image.keyword:*\\\\MsMpEng.exe AND (NOT (Image.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (Image.keyword:*\\\\msseces.exe AND (NOT (Image.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (Image.keyword:*\\\\OInfoP11.exe AND (NOT (Image.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (Image.keyword:*\\\\OleView.exe AND (NOT (Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (Image.keyword:*\\\\rc.exe AND (NOT (Image.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*)))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Executable-used-by-PlugX-in-Uncommon-Location---Sysmon-Version <<EOF\n{\n  "metadata": {\n    "title": "Executable used by PlugX in Uncommon Location - Sysmon Version",\n    "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location",\n    "tags": [\n      "attack.s0013",\n      "attack.defense_evasion",\n      "attack.t1073"\n    ],\n    "query": "((((((((((((Image.keyword:*\\\\\\\\CamMute.exe AND (NOT (Image.keyword:*\\\\\\\\Lenovo\\\\\\\\Communication\\\\ Utility\\\\\\\\*))) OR (Image.keyword:*\\\\\\\\chrome_frame_helper.exe AND (NOT (Image.keyword:*\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\application\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\dvcemumanager.exe AND (NOT (Image.keyword:*\\\\\\\\Microsoft\\\\ Device\\\\ Emulator\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\Gadget.exe AND (NOT (Image.keyword:*\\\\\\\\Windows\\\\ Media\\\\ Player\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\hcc.exe AND (NOT (Image.keyword:*\\\\\\\\HTML\\\\ Help\\\\ Workshop\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\hkcmd.exe AND (NOT (Image.keyword:(*\\\\\\\\System32\\\\\\\\* OR *\\\\\\\\SysNative\\\\\\\\* OR *\\\\\\\\SysWowo64\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\Mc.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Visual\\\\ Studio* OR *\\\\\\\\Microsoft\\\\ SDK* OR *\\\\\\\\Windows\\\\ Kit*))))) OR (Image.keyword:*\\\\\\\\MsMpEng.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Security\\\\ Client\\\\\\\\* OR *\\\\\\\\Windows\\\\ Defender\\\\\\\\* OR *\\\\\\\\AntiMalware\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\msseces.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Security\\\\ Center\\\\\\\\* OR *\\\\\\\\Microsoft\\\\ Security\\\\ Client\\\\\\\\* OR *\\\\\\\\Microsoft\\\\ Security\\\\ Essentials\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\OInfoP11.exe AND (NOT (Image.keyword:*\\\\\\\\Common\\\\ Files\\\\\\\\Microsoft\\\\ Shared\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\OleView.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Visual\\\\ Studio* OR *\\\\\\\\Microsoft\\\\ SDK* OR *\\\\\\\\Windows\\\\ Kit* OR *\\\\\\\\Windows\\\\ Resource\\\\ Kit\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\rc.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Visual\\\\ Studio* OR *\\\\\\\\Microsoft\\\\ SDK* OR *\\\\\\\\Windows\\\\ Kit* OR *\\\\\\\\Windows\\\\ Resource\\\\ Kit\\\\\\\\* OR *\\\\\\\\Microsoft.NET\\\\\\\\*)))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((((((((((((Image.keyword:*\\\\\\\\CamMute.exe AND (NOT (Image.keyword:*\\\\\\\\Lenovo\\\\\\\\Communication\\\\ Utility\\\\\\\\*))) OR (Image.keyword:*\\\\\\\\chrome_frame_helper.exe AND (NOT (Image.keyword:*\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\application\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\dvcemumanager.exe AND (NOT (Image.keyword:*\\\\\\\\Microsoft\\\\ Device\\\\ Emulator\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\Gadget.exe AND (NOT (Image.keyword:*\\\\\\\\Windows\\\\ Media\\\\ Player\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\hcc.exe AND (NOT (Image.keyword:*\\\\\\\\HTML\\\\ Help\\\\ Workshop\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\hkcmd.exe AND (NOT (Image.keyword:(*\\\\\\\\System32\\\\\\\\* OR *\\\\\\\\SysNative\\\\\\\\* OR *\\\\\\\\SysWowo64\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\Mc.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Visual\\\\ Studio* OR *\\\\\\\\Microsoft\\\\ SDK* OR *\\\\\\\\Windows\\\\ Kit*))))) OR (Image.keyword:*\\\\\\\\MsMpEng.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Security\\\\ Client\\\\\\\\* OR *\\\\\\\\Windows\\\\ Defender\\\\\\\\* OR *\\\\\\\\AntiMalware\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\msseces.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Security\\\\ Center\\\\\\\\* OR *\\\\\\\\Microsoft\\\\ Security\\\\ Client\\\\\\\\* OR *\\\\\\\\Microsoft\\\\ Security\\\\ Essentials\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\OInfoP11.exe AND (NOT (Image.keyword:*\\\\\\\\Common\\\\ Files\\\\\\\\Microsoft\\\\ Shared\\\\\\\\*)))) OR (Image.keyword:*\\\\\\\\OleView.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Visual\\\\ Studio* OR *\\\\\\\\Microsoft\\\\ SDK* OR *\\\\\\\\Windows\\\\ Kit* OR *\\\\\\\\Windows\\\\ Resource\\\\ Kit\\\\\\\\*))))) OR (Image.keyword:*\\\\\\\\rc.exe AND (NOT (Image.keyword:(*\\\\\\\\Microsoft\\\\ Visual\\\\ Studio* OR *\\\\\\\\Microsoft\\\\ SDK* OR *\\\\\\\\Windows\\\\ Kit* OR *\\\\\\\\Windows\\\\ Resource\\\\ Kit\\\\\\\\* OR *\\\\\\\\Microsoft.NET\\\\\\\\*)))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Executable used by PlugX in Uncommon Location - Sysmon Version\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((((((((((((Image.keyword:*\\\\CamMute.exe AND (NOT (Image.keyword:*\\\\Lenovo\\\\Communication Utility\\\\*))) OR (Image.keyword:*\\\\chrome_frame_helper.exe AND (NOT (Image.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (Image.keyword:*\\\\dvcemumanager.exe AND (NOT (Image.keyword:*\\\\Microsoft Device Emulator\\\\*)))) OR (Image.keyword:*\\\\Gadget.exe AND (NOT (Image.keyword:*\\\\Windows Media Player\\\\*)))) OR (Image.keyword:*\\\\hcc.exe AND (NOT (Image.keyword:*\\\\HTML Help Workshop\\\\*)))) OR (Image.keyword:*\\\\hkcmd.exe AND (NOT (Image.keyword:(*\\\\System32\\\\* *\\\\SysNative\\\\* *\\\\SysWowo64\\\\*))))) OR (Image.keyword:*\\\\Mc.exe AND (NOT (Image.keyword:(*\\\\Microsoft Visual Studio* *\\\\Microsoft SDK* *\\\\Windows Kit*))))) OR (Image.keyword:*\\\\MsMpEng.exe AND (NOT (Image.keyword:(*\\\\Microsoft Security Client\\\\* *\\\\Windows Defender\\\\* *\\\\AntiMalware\\\\*))))) OR (Image.keyword:*\\\\msseces.exe AND (NOT (Image.keyword:(*\\\\Microsoft Security Center\\\\* *\\\\Microsoft Security Client\\\\* *\\\\Microsoft Security Essentials\\\\*))))) OR (Image.keyword:*\\\\OInfoP11.exe AND (NOT (Image.keyword:*\\\\Common Files\\\\Microsoft Shared\\\\*)))) OR (Image.keyword:*\\\\OleView.exe AND (NOT (Image.keyword:(*\\\\Microsoft Visual Studio* *\\\\Microsoft SDK* *\\\\Windows Kit* *\\\\Windows Resource Kit\\\\*))))) OR (Image.keyword:*\\\\rc.exe AND (NOT (Image.keyword:(*\\\\Microsoft Visual Studio* *\\\\Microsoft SDK* *\\\\Windows Kit* *\\\\Windows Resource Kit\\\\* *\\\\Microsoft.NET\\\\*)))))
+```
+
+
 ### splunk
     
 ```
@@ -128,4 +149,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((((((((((((Image="*\\\\CamMute.exe"  -(Image="*\\\\Lenovo\\\\Communication Utility\\\\*")) OR (Image="*\\\\chrome_frame_helper.exe"  -(Image="*\\\\Google\\\\Chrome\\\\application\\\\*"))) OR (Image="*\\\\dvcemumanager.exe"  -(Image="*\\\\Microsoft Device Emulator\\\\*"))) OR (Image="*\\\\Gadget.exe"  -(Image="*\\\\Windows Media Player\\\\*"))) OR (Image="*\\\\hcc.exe"  -(Image="*\\\\HTML Help Workshop\\\\*"))) OR (Image="*\\\\hkcmd.exe"  -(Image IN ["*\\\\System32\\\\*", "*\\\\SysNative\\\\*", "*\\\\SysWowo64\\\\*"]))) OR (Image="*\\\\Mc.exe"  -(Image IN ["*\\\\Microsoft Visual Studio*", "*\\\\Microsoft SDK*", "*\\\\Windows Kit*"]))) OR (Image="*\\\\MsMpEng.exe"  -(Image IN ["*\\\\Microsoft Security Client\\\\*", "*\\\\Windows Defender\\\\*", "*\\\\AntiMalware\\\\*"]))) OR (Image="*\\\\msseces.exe"  -(Image IN ["*\\\\Microsoft Security Center\\\\*", "*\\\\Microsoft Security Client\\\\*", "*\\\\Microsoft Security Essentials\\\\*"]))) OR (Image="*\\\\OInfoP11.exe"  -(Image="*\\\\Common Files\\\\Microsoft Shared\\\\*"))) OR (Image="*\\\\OleView.exe"  -(Image IN ["*\\\\Microsoft Visual Studio*", "*\\\\Microsoft SDK*", "*\\\\Windows Kit*", "*\\\\Windows Resource Kit\\\\*"]))) OR (Image="*\\\\rc.exe"  -(Image IN ["*\\\\Microsoft Visual Studio*", "*\\\\Microsoft SDK*", "*\\\\Windows Kit*", "*\\\\Windows Resource Kit\\\\*", "*\\\\Microsoft.NET\\\\*"]))))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?:.*(?=.*.*\\CamMute\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\Lenovo\\Communication Utility\\\\.*)))))|.*(?:.*(?=.*.*\\chrome_frame_helper\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\Google\\Chrome\\application\\\\.*)))))))|.*(?:.*(?=.*.*\\dvcemumanager\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\Microsoft Device Emulator\\\\.*)))))))|.*(?:.*(?=.*.*\\Gadget\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\Windows Media Player\\\\.*)))))))|.*(?:.*(?=.*.*\\hcc\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\HTML Help Workshop\\\\.*)))))))|.*(?:.*(?=.*.*\\hkcmd\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\System32\\\\.*|.*.*\\SysNative\\\\.*|.*.*\\SysWowo64\\\\.*))))))))|.*(?:.*(?=.*.*\\Mc\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\Microsoft Visual Studio.*|.*.*\\Microsoft SDK.*|.*.*\\Windows Kit.*))))))))|.*(?:.*(?=.*.*\\MsMpEng\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\Microsoft Security Client\\\\.*|.*.*\\Windows Defender\\\\.*|.*.*\\AntiMalware\\\\.*))))))))|.*(?:.*(?=.*.*\\msseces\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\Microsoft Security Center\\\\.*|.*.*\\Microsoft Security Client\\\\.*|.*.*\\Microsoft Security Essentials\\\\.*))))))))|.*(?:.*(?=.*.*\\OInfoP11\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\Common Files\\Microsoft Shared\\\\.*)))))))|.*(?:.*(?=.*.*\\OleView\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\Microsoft Visual Studio.*|.*.*\\Microsoft SDK.*|.*.*\\Windows Kit.*|.*.*\\Windows Resource Kit\\\\.*))))))))|.*(?:.*(?=.*.*\\rc\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\Microsoft Visual Studio.*|.*.*\\Microsoft SDK.*|.*.*\\Windows Kit.*|.*.*\\Windows Resource Kit\\\\.*|.*.*\\Microsoft\\.NET\\\\.*))))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
index 543df2b..75991bc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_possible_applocker_bypass.md
@@ -59,6 +59,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Applocker-Bypass <<EOF\n{\n  "metadata": {\n    "title": "Possible Applocker Bypass",\n    "description": "Detects execution of executables that can be used to bypass Applocker whitelisting",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1118",\n      "attack.t1121",\n      "attack.t1127",\n      "attack.t1170"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\msdt.exe* OR *\\\\\\\\installutil.exe* OR *\\\\\\\\regsvcs.exe* OR *\\\\\\\\regasm.exe* OR *\\\\\\\\msbuild.exe* OR *\\\\\\\\ieexec.exe*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\msdt.exe* OR *\\\\\\\\installutil.exe* OR *\\\\\\\\regsvcs.exe* OR *\\\\\\\\regasm.exe* OR *\\\\\\\\msbuild.exe* OR *\\\\\\\\ieexec.exe*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Applocker Bypass\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\msdt.exe* *\\\\installutil.exe* *\\\\regsvcs.exe* *\\\\regasm.exe* *\\\\msbuild.exe* *\\\\ieexec.exe*)
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\msdt.exe*", "*\\\\installutil.exe*", "*\\\\regsvcs.exe*", "*\\\\regasm.exe*", "*\\\\msbuild.exe*", "*\\\\ieexec.exe*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\msdt\\.exe.*|.*.*\\installutil\\.exe.*|.*.*\\regsvcs\\.exe.*|.*.*\\regasm\\.exe.*|.*.*\\msbuild\\.exe.*|.*.*\\ieexec\\.exe.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
index a16b706..0b5de52 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
@@ -3,7 +3,7 @@
 | Description          | Detects Request to amsiInitFailed that can be used to disable AMSI Scanning                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | high |
@@ -52,6 +52,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND CommandLine.keyword:(*amsiInitFailed*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Powershell-AMSI-Bypass-via-.NET-Reflection <<EOF\n{\n  "metadata": {\n    "title": "Powershell AMSI Bypass via .NET Reflection",\n    "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning",\n    "tags": [\n      "attack.execution",\n      "attack.defense_evasion",\n      "attack.t1086"\n    ],\n    "query": "(CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND CommandLine.keyword:(*amsiInitFailed*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND CommandLine.keyword:(*amsiInitFailed*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Powershell AMSI Bypass via .NET Reflection\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:(*System.Management.Automation.AmsiUtils*) AND CommandLine.keyword:(*amsiInitFailed*))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*System.Management.Automation.AmsiUtils*"] CommandLine IN ["*amsiInitFailed*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*System\\.Management\\.Automation\\.AmsiUtils.*))(?=.*(?:.*.*amsiInitFailed.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
index 90cd67d..7ad3d0c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_b64_shellcode.md
@@ -3,7 +3,7 @@
 | Description          | Detects Base64 encoded Shellcode                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | critical |
@@ -50,6 +50,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*AAAAYInlM* AND CommandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Base64-Encoded-Shellcode <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Base64 Encoded Shellcode",\n    "description": "Detects Base64 encoded Shellcode",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(CommandLine.keyword:*AAAAYInlM* AND CommandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*AAAAYInlM* AND CommandLine.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Base64 Encoded Shellcode\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*AAAAYInlM* AND CommandLine.keyword:(*OiCAAAAYInlM* *OiJAAAAYInlM*))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*AAAAYInlM*" CommandLine IN ["*OiCAAAAYInlM*", "*OiJAAAAYInlM*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*AAAAYInlM.*)(?=.*(?:.*.*OiCAAAAYInlM.*|.*.*OiJAAAAYInlM.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md
index ea5e9e7..782e6a4 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_dll_execution.md
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((Image.keyword:(*\\\\rundll32.exe) OR Description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND CommandLine.keyword:(*Default.GetString* OR *FromBase64String*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Detection-of-PowerShell-Execution-via-DLL <<EOF\n{\n  "metadata": {\n    "title": "Detection of PowerShell Execution via DLL",\n    "description": "Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll",\n    "tags": [\n      "attack.execution",\n      "attack.t1086",\n      "car.2014-04-003"\n    ],\n    "query": "((Image.keyword:(*\\\\\\\\rundll32.exe) OR Description.keyword:(*Windows\\\\-Hostprozess\\\\ \\\\(Rundll32\\\\)*)) AND CommandLine.keyword:(*Default.GetString* OR *FromBase64String*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:(*\\\\\\\\rundll32.exe) OR Description.keyword:(*Windows\\\\-Hostprozess\\\\ \\\\(Rundll32\\\\)*)) AND CommandLine.keyword:(*Default.GetString* OR *FromBase64String*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Detection of PowerShell Execution via DLL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:(*\\\\rundll32.exe) OR Description.keyword:(*Windows\\-Hostprozess \\(Rundll32\\)*)) AND CommandLine.keyword:(*Default.GetString* *FromBase64String*))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image IN ["*\\\\rundll32.exe"] OR Description IN ["*Windows-Hostprozess (Rundll32)*"]) CommandLine IN ["*Default.GetString*", "*FromBase64String*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.*(?:.*.*\\rundll32\\.exe)|.*(?:.*.*Windows-Hostprozess \\(Rundll32\\).*))))(?=.*(?:.*.*Default\\.GetString.*|.*.*FromBase64String.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
index 53f7d95..6eef60e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_download.md
@@ -3,7 +3,7 @@
 | Description          | Detects a Powershell process that contains download commands in its command line string                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | medium |
@@ -51,6 +51,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\powershell.exe AND CommandLine.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Download-from-URL <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Download from URL",\n    "description": "Detects a Powershell process that contains download commands in its command line string",\n    "tags": [\n      "attack.t1086",\n      "attack.execution"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\powershell.exe AND CommandLine.keyword:(*new\\\\-object\\\\ system.net.webclient\\\\).downloadstring\\\\(* OR *new\\\\-object\\\\ system.net.webclient\\\\).downloadfile\\\\(* OR *new\\\\-object\\\\ net.webclient\\\\).downloadstring\\\\(* OR *new\\\\-object\\\\ net.webclient\\\\).downloadfile\\\\(*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\powershell.exe AND CommandLine.keyword:(*new\\\\-object\\\\ system.net.webclient\\\\).downloadstring\\\\(* OR *new\\\\-object\\\\ system.net.webclient\\\\).downloadfile\\\\(* OR *new\\\\-object\\\\ net.webclient\\\\).downloadstring\\\\(* OR *new\\\\-object\\\\ net.webclient\\\\).downloadfile\\\\(*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Download from URL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\powershell.exe AND CommandLine.keyword:(*new\\-object system.net.webclient\\).downloadstring\\(* *new\\-object system.net.webclient\\).downloadfile\\(* *new\\-object net.webclient\\).downloadstring\\(* *new\\-object net.webclient\\).downloadfile\\(*))
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\powershell.exe" CommandLine IN ["*new-object system.net.webclient).downloadstring(*", "*new-object system.net.webclient).downloadfile(*", "*new-object net.webclient).downloadstring(*", "*new-object net.webclient).downloadfile(*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\powershell\\.exe)(?=.*(?:.*.*new-object system\\.net\\.webclient\\)\\.downloadstring\\(.*|.*.*new-object system\\.net\\.webclient\\)\\.downloadfile\\(.*|.*.*new-object net\\.webclient\\)\\.downloadstring\\(.*|.*.*new-object net\\.webclient\\)\\.downloadfile\\(.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
index 6351527..8467cd2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_suspicious_parameter_variation.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious PowerShell invocation with a parameter substring                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | high |
@@ -87,6 +87,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\Powershell.exe) AND CommandLine:("\\ \\-windowstyle\\ h\\ " OR "\\ \\-windowstyl\\ h" OR "\\ \\-windowsty\\ h" OR "\\ \\-windowst\\ h" OR "\\ \\-windows\\ h" OR "\\ \\-windo\\ h" OR "\\ \\-wind\\ h" OR "\\ \\-win\\ h" OR "\\ \\-wi\\ h" OR "\\ \\-win\\ h\\ " OR "\\ \\-win\\ hi\\ " OR "\\ \\-win\\ hid\\ " OR "\\ \\-win\\ hidd\\ " OR "\\ \\-win\\ hidde\\ " OR "\\ \\-NoPr\\ " OR "\\ \\-NoPro\\ " OR "\\ \\-NoProf\\ " OR "\\ \\-NoProfi\\ " OR "\\ \\-NoProfil\\ " OR "\\ \\-nonin\\ " OR "\\ \\-nonint\\ " OR "\\ \\-noninte\\ " OR "\\ \\-noninter\\ " OR "\\ \\-nonintera\\ " OR "\\ \\-noninterac\\ " OR "\\ \\-noninteract\\ " OR "\\ \\-noninteracti\\ " OR "\\ \\-noninteractiv\\ " OR "\\ \\-ec\\ " OR "\\ \\-encodedComman\\ " OR "\\ \\-encodedComma\\ " OR "\\ \\-encodedComm\\ " OR "\\ \\-encodedCom\\ " OR "\\ \\-encodedCo\\ " OR "\\ \\-encodedC\\ " OR "\\ \\-encoded\\ " OR "\\ \\-encode\\ " OR "\\ \\-encod\\ " OR "\\ \\-enco\\ " OR "\\ \\-en\\ "))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Parameter-Substring <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PowerShell Parameter Substring",\n    "description": "Detects suspicious PowerShell invocation with a parameter substring",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\Powershell.exe) AND CommandLine:(\\"\\\\ \\\\-windowstyle\\\\ h\\\\ \\" OR \\"\\\\ \\\\-windowstyl\\\\ h\\" OR \\"\\\\ \\\\-windowsty\\\\ h\\" OR \\"\\\\ \\\\-windowst\\\\ h\\" OR \\"\\\\ \\\\-windows\\\\ h\\" OR \\"\\\\ \\\\-windo\\\\ h\\" OR \\"\\\\ \\\\-wind\\\\ h\\" OR \\"\\\\ \\\\-win\\\\ h\\" OR \\"\\\\ \\\\-wi\\\\ h\\" OR \\"\\\\ \\\\-win\\\\ h\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hi\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hid\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hidd\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hidde\\\\ \\" OR \\"\\\\ \\\\-NoPr\\\\ \\" OR \\"\\\\ \\\\-NoPro\\\\ \\" OR \\"\\\\ \\\\-NoProf\\\\ \\" OR \\"\\\\ \\\\-NoProfi\\\\ \\" OR \\"\\\\ \\\\-NoProfil\\\\ \\" OR \\"\\\\ \\\\-nonin\\\\ \\" OR \\"\\\\ \\\\-nonint\\\\ \\" OR \\"\\\\ \\\\-noninte\\\\ \\" OR \\"\\\\ \\\\-noninter\\\\ \\" OR \\"\\\\ \\\\-nonintera\\\\ \\" OR \\"\\\\ \\\\-noninterac\\\\ \\" OR \\"\\\\ \\\\-noninteract\\\\ \\" OR \\"\\\\ \\\\-noninteracti\\\\ \\" OR \\"\\\\ \\\\-noninteractiv\\\\ \\" OR \\"\\\\ \\\\-ec\\\\ \\" OR \\"\\\\ \\\\-encodedComman\\\\ \\" OR \\"\\\\ \\\\-encodedComma\\\\ \\" OR \\"\\\\ \\\\-encodedComm\\\\ \\" OR \\"\\\\ \\\\-encodedCom\\\\ \\" OR \\"\\\\ \\\\-encodedCo\\\\ \\" OR \\"\\\\ \\\\-encodedC\\\\ \\" OR \\"\\\\ \\\\-encoded\\\\ \\" OR \\"\\\\ \\\\-encode\\\\ \\" OR \\"\\\\ \\\\-encod\\\\ \\" OR \\"\\\\ \\\\-enco\\\\ \\" OR \\"\\\\ \\\\-en\\\\ \\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\Powershell.exe) AND CommandLine:(\\"\\\\ \\\\-windowstyle\\\\ h\\\\ \\" OR \\"\\\\ \\\\-windowstyl\\\\ h\\" OR \\"\\\\ \\\\-windowsty\\\\ h\\" OR \\"\\\\ \\\\-windowst\\\\ h\\" OR \\"\\\\ \\\\-windows\\\\ h\\" OR \\"\\\\ \\\\-windo\\\\ h\\" OR \\"\\\\ \\\\-wind\\\\ h\\" OR \\"\\\\ \\\\-win\\\\ h\\" OR \\"\\\\ \\\\-wi\\\\ h\\" OR \\"\\\\ \\\\-win\\\\ h\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hi\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hid\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hidd\\\\ \\" OR \\"\\\\ \\\\-win\\\\ hidde\\\\ \\" OR \\"\\\\ \\\\-NoPr\\\\ \\" OR \\"\\\\ \\\\-NoPro\\\\ \\" OR \\"\\\\ \\\\-NoProf\\\\ \\" OR \\"\\\\ \\\\-NoProfi\\\\ \\" OR \\"\\\\ \\\\-NoProfil\\\\ \\" OR \\"\\\\ \\\\-nonin\\\\ \\" OR \\"\\\\ \\\\-nonint\\\\ \\" OR \\"\\\\ \\\\-noninte\\\\ \\" OR \\"\\\\ \\\\-noninter\\\\ \\" OR \\"\\\\ \\\\-nonintera\\\\ \\" OR \\"\\\\ \\\\-noninterac\\\\ \\" OR \\"\\\\ \\\\-noninteract\\\\ \\" OR \\"\\\\ \\\\-noninteracti\\\\ \\" OR \\"\\\\ \\\\-noninteractiv\\\\ \\" OR \\"\\\\ \\\\-ec\\\\ \\" OR \\"\\\\ \\\\-encodedComman\\\\ \\" OR \\"\\\\ \\\\-encodedComma\\\\ \\" OR \\"\\\\ \\\\-encodedComm\\\\ \\" OR \\"\\\\ \\\\-encodedCom\\\\ \\" OR \\"\\\\ \\\\-encodedCo\\\\ \\" OR \\"\\\\ \\\\-encodedC\\\\ \\" OR \\"\\\\ \\\\-encoded\\\\ \\" OR \\"\\\\ \\\\-encode\\\\ \\" OR \\"\\\\ \\\\-encod\\\\ \\" OR \\"\\\\ \\\\-enco\\\\ \\" OR \\"\\\\ \\\\-en\\\\ \\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PowerShell Parameter Substring\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\Powershell.exe) AND CommandLine:(" \\-windowstyle h " " \\-windowstyl h" " \\-windowsty h" " \\-windowst h" " \\-windows h" " \\-windo h" " \\-wind h" " \\-win h" " \\-wi h" " \\-win h " " \\-win hi " " \\-win hid " " \\-win hidd " " \\-win hidde " " \\-NoPr " " \\-NoPro " " \\-NoProf " " \\-NoProfi " " \\-NoProfil " " \\-nonin " " \\-nonint " " \\-noninte " " \\-noninter " " \\-nonintera " " \\-noninterac " " \\-noninteract " " \\-noninteracti " " \\-noninteractiv " " \\-ec " " \\-encodedComman " " \\-encodedComma " " \\-encodedComm " " \\-encodedCom " " \\-encodedCo " " \\-encodedC " " \\-encoded " " \\-encode " " \\-encod " " \\-enco " " \\-en "))
+```
+
+
 ### splunk
     
 ```
@@ -94,4 +115,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\Powershell.exe"] CommandLine IN [" -windowstyle h ", " -windowstyl h", " -windowsty h", " -windowst h", " -windows h", " -windo h", " -wind h", " -win h", " -wi h", " -win h ", " -win hi ", " -win hid ", " -win hidd ", " -win hidde ", " -NoPr ", " -NoPro ", " -NoProf ", " -NoProfi ", " -NoProfil ", " -nonin ", " -nonint ", " -noninte ", " -noninter ", " -nonintera ", " -noninterac ", " -noninteract ", " -noninteracti ", " -noninteractiv ", " -ec ", " -encodedComman ", " -encodedComma ", " -encodedComm ", " -encodedCom ", " -encodedCo ", " -encodedC ", " -encoded ", " -encode ", " -encod ", " -enco ", " -en "])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\Powershell\\.exe))(?=.*(?:.* -windowstyle h |.* -windowstyl h|.* -windowsty h|.* -windowst h|.* -windows h|.* -windo h|.* -wind h|.* -win h|.* -wi h|.* -win h |.* -win hi |.* -win hid |.* -win hidd |.* -win hidde |.* -NoPr |.* -NoPro |.* -NoProf |.* -NoProfi |.* -NoProfil |.* -nonin |.* -nonint |.* -noninte |.* -noninter |.* -nonintera |.* -noninterac |.* -noninteract |.* -noninteracti |.* -noninteractiv |.* -ec |.* -encodedComman |.* -encodedComma |.* -encodedComm |.* -encodedCom |.* -encodedCo |.* -encodedC |.* -encoded |.* -encode |.* -encod |.* -enco |.* -en )))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md
index 4722d45..066fa75 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powershell_xor_commandline.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | medium |
@@ -45,6 +45,27 @@ logsource:
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ \\-bxor*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-XOR-Encoded-PowerShell-Command-Line <<EOF\n{\n  "metadata": {\n    "title": "Suspicious XOR Encoded PowerShell Command Line",\n    "description": "Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ \\\\-bxor*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ \\\\-bxor*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious XOR Encoded PowerShell Command Line\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* \\-bxor*)
+```
+
+
 ### splunk
     
 ```
@@ -52,4 +73,18 @@ logsource:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* -bxor*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* -bxor.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md b/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md
index 8d72d18..dd885d8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_powersploit_empire_schtasks.md
@@ -3,7 +3,7 @@
 | Description          | Detects the creation of a schtask via PowerSploit or Empire Default Configuration.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1053: Scheduled Task](https://attack.mitre.org/techniques/T1053)</li><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1053: Scheduled Task](../Triggers/T1053.md)</li><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | high |
@@ -61,6 +61,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:(*\\\\powershell.exe) AND CommandLine.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Default-PowerSploit-and-Empire-Schtasks-Persistence <<EOF\n{\n  "metadata": {\n    "title": "Default PowerSploit and Empire Schtasks Persistence",\n    "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.",\n    "tags": [\n      "attack.execution",\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1053",\n      "attack.t1086",\n      "attack.s0111",\n      "attack.g0022",\n      "attack.g0060",\n      "car.2013-08-001"\n    ],\n    "query": "(ParentImage.keyword:(*\\\\\\\\powershell.exe) AND CommandLine.keyword:(*schtasks*\\\\/Create*\\\\/SC\\\\ *ONLOGON*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell* OR *schtasks*\\\\/Create*\\\\/SC\\\\ *DAILY*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell* OR *schtasks*\\\\/Create*\\\\/SC\\\\ *ONIDLE*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell* OR *schtasks*\\\\/Create*\\\\/SC\\\\ *Updater*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:(*\\\\\\\\powershell.exe) AND CommandLine.keyword:(*schtasks*\\\\/Create*\\\\/SC\\\\ *ONLOGON*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell* OR *schtasks*\\\\/Create*\\\\/SC\\\\ *DAILY*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell* OR *schtasks*\\\\/Create*\\\\/SC\\\\ *ONIDLE*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell* OR *schtasks*\\\\/Create*\\\\/SC\\\\ *Updater*\\\\/TN\\\\ *Updater*\\\\/TR\\\\ *powershell*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Default PowerSploit and Empire Schtasks Persistence\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:(*\\\\powershell.exe) AND CommandLine.keyword:(*schtasks*\\/Create*\\/SC *ONLOGON*\\/TN *Updater*\\/TR *powershell* *schtasks*\\/Create*\\/SC *DAILY*\\/TN *Updater*\\/TR *powershell* *schtasks*\\/Create*\\/SC *ONIDLE*\\/TN *Updater*\\/TR *powershell* *schtasks*\\/Create*\\/SC *Updater*\\/TN *Updater*\\/TR *powershell*))
+```
+
+
 ### splunk
     
 ```
@@ -68,4 +89,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage IN ["*\\\\powershell.exe"] CommandLine IN ["*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*", "*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\powershell\\.exe))(?=.*(?:.*.*schtasks.*/Create.*/SC .*ONLOGON.*/TN .*Updater.*/TR .*powershell.*|.*.*schtasks.*/Create.*/SC .*DAILY.*/TN .*Updater.*/TR .*powershell.*|.*.*schtasks.*/Create.*/SC .*ONIDLE.*/TN .*Updater.*/TR .*powershell.*|.*.*schtasks.*/Create.*/SC .*Updater.*/TN .*Updater.*/TR .*powershell.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md b/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md
index e26daca..f165bbd 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_proc_wrong_parent.md
@@ -3,7 +3,7 @@
 | Description          | Detect suspicious parent processes of well-known Windows processes                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | low |
@@ -67,6 +67,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+((Image.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (ParentImage.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:ParentImage)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-Processes-Suspicious-Parent-Directory <<EOF\n{\n  "metadata": {\n    "title": "Windows Processes Suspicious Parent Directory",\n    "description": "Detect suspicious parent processes of well-known Windows processes",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "((Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\taskhost.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\services.exe OR *\\\\\\\\lsaiso.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\winlogon.exe) AND (NOT (ParentImage.keyword:(*\\\\\\\\System32\\\\\\\\* OR *\\\\\\\\SysWOW64\\\\\\\\* OR *\\\\\\\\SavService.exe OR *\\\\\\\\Windows\\\\ Defender\\\\\\\\*\\\\\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:ParentImage)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\taskhost.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\services.exe OR *\\\\\\\\lsaiso.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\winlogon.exe) AND (NOT (ParentImage.keyword:(*\\\\\\\\System32\\\\\\\\* OR *\\\\\\\\SysWOW64\\\\\\\\* OR *\\\\\\\\SavService.exe OR *\\\\\\\\Windows\\\\ Defender\\\\\\\\*\\\\\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:ParentImage)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Windows Processes Suspicious Parent Directory\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:(*\\\\svchost.exe *\\\\taskhost.exe *\\\\lsm.exe *\\\\lsass.exe *\\\\services.exe *\\\\lsaiso.exe *\\\\csrss.exe *\\\\wininit.exe *\\\\winlogon.exe) AND (NOT (ParentImage.keyword:(*\\\\System32\\\\* *\\\\SysWOW64\\\\* *\\\\SavService.exe *\\\\Windows Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:ParentImage)))
+```
+
+
 ### splunk
     
 ```
@@ -74,4 +95,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image IN ["*\\\\svchost.exe", "*\\\\taskhost.exe", "*\\\\lsm.exe", "*\\\\lsass.exe", "*\\\\services.exe", "*\\\\lsaiso.exe", "*\\\\csrss.exe", "*\\\\wininit.exe", "*\\\\winlogon.exe"]  -(ParentImage IN ["*\\\\System32\\\\*", "*\\\\SysWOW64\\\\*", "*\\\\SavService.exe", "*\\\\Windows Defender\\\\*\\\\MsMpEng.exe"]))  -(-ParentImage=*))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\\svchost\\.exe|.*.*\\taskhost\\.exe|.*.*\\lsm\\.exe|.*.*\\lsass\\.exe|.*.*\\services\\.exe|.*.*\\lsaiso\\.exe|.*.*\\csrss\\.exe|.*.*\\wininit\\.exe|.*.*\\winlogon\\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\System32\\\\.*|.*.*\\SysWOW64\\\\.*|.*.*\\SavService\\.exe|.*.*\\Windows Defender\\\\.*\\MsMpEng\\.exe)))))))(?=.*(?!.*(?:.*(?=.*(?!ParentImage))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md b/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
index 65f0897..e1348a0 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_process_creation_bitsadmin_download.md
@@ -3,7 +3,7 @@
 | Description          | Detects usage of bitsadmin downloading a file                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1197: BITS Jobs](https://attack.mitre.org/techniques/T1197)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1197: BITS Jobs](../Triggers/T1197.md)</li></ul>  |
 | Severity Level       | medium |
@@ -54,6 +54,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\bitsadmin.exe) AND CommandLine:("\\/transfer"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Bitsadmin-Download <<EOF\n{\n  "metadata": {\n    "title": "Bitsadmin Download",\n    "description": "Detects usage of bitsadmin downloading a file",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.persistence",\n      "attack.t1197",\n      "attack.s0190"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\bitsadmin.exe) AND CommandLine:(\\"\\\\/transfer\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\bitsadmin.exe) AND CommandLine:(\\"\\\\/transfer\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Bitsadmin Download\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\bitsadmin.exe) AND CommandLine:("\\/transfer"))
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\bitsadmin.exe"] CommandLine IN ["/transfer"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\bitsadmin\\.exe))(?=.*(?:.*/transfer)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md b/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
index 9853ea2..8736189 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_psexesvc_start.md
@@ -45,6 +45,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+ProcessCommandLine:"C\\:\\\\Windows\\\\PSEXESVC.exe"
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PsExec-Service-Start <<EOF\n{\n  "metadata": {\n    "title": "PsExec Service Start",\n    "description": "Detects a PsExec service start",\n    "tags": [\n      "attack.execution",\n      "attack.t1035",\n      "attack.s0029"\n    ],\n    "query": "ProcessCommandLine:\\"C\\\\:\\\\\\\\Windows\\\\\\\\PSEXESVC.exe\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "ProcessCommandLine:\\"C\\\\:\\\\\\\\Windows\\\\\\\\PSEXESVC.exe\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PsExec Service Start\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+ProcessCommandLine:"C\\:\\\\Windows\\\\PSEXESVC.exe"
+```
+
+
 ### splunk
     
 ```
@@ -52,4 +73,18 @@ ProcessCommandLine="C:\\\\Windows\\\\PSEXESVC.exe"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ProcessCommandLine="C:\\\\Windows\\\\PSEXESVC.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^C:\\Windows\\PSEXESVC\\.exe'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md b/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md
index f5c67b3..631b87a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_query_registry.md
@@ -65,6 +65,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\reg.exe AND CommandLine.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Query-Registry <<EOF\n{\n  "metadata": {\n    "title": "Query Registry",\n    "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",\n    "tags": [\n      "attack.discovery",\n      "attack.t1012",\n      "attack.t1007"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\reg.exe AND CommandLine.keyword:(*currentVersion\\\\\\\\windows* OR *currentVersion\\\\\\\\runServicesOnce* OR *currentVersion\\\\\\\\runServices* OR *winlogon\\\\* OR *currentVersion\\\\\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\\\\\runOnce* OR *currentVersion\\\\\\\\runOnceEx* OR *currentVersion\\\\\\\\run* OR *currentVersion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR *currentcontrolset\\\\\\\\services*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\reg.exe AND CommandLine.keyword:(*currentVersion\\\\\\\\windows* OR *currentVersion\\\\\\\\runServicesOnce* OR *currentVersion\\\\\\\\runServices* OR *winlogon\\\\* OR *currentVersion\\\\\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\\\\\runOnce* OR *currentVersion\\\\\\\\runOnceEx* OR *currentVersion\\\\\\\\run* OR *currentVersion\\\\\\\\policies\\\\\\\\explorer\\\\\\\\run* OR *currentcontrolset\\\\\\\\services*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Query Registry\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\n             User = {{_source.User}}\\n        LogonGuid = {{_source.LogonGuid}}\\n           Hashes = {{_source.Hashes}}\\nParentProcessGuid = {{_source.ParentProcessGuid}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\reg.exe AND CommandLine.keyword:(*currentVersion\\\\windows* *currentVersion\\\\runServicesOnce* *currentVersion\\\\runServices* *winlogon\\* *currentVersion\\\\shellServiceObjectDelayLoad* *currentVersion\\\\runOnce* *currentVersion\\\\runOnceEx* *currentVersion\\\\run* *currentVersion\\\\policies\\\\explorer\\\\run* *currentcontrolset\\\\services*))
+```
+
+
 ### splunk
     
 ```
@@ -72,4 +93,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\reg.exe" CommandLine IN ["*currentVersion\\\\windows*", "*currentVersion\\\\runServicesOnce*", "*currentVersion\\\\runServices*", "*winlogon\\*", "*currentVersion\\\\shellServiceObjectDelayLoad*", "*currentVersion\\\\runOnce*", "*currentVersion\\\\runOnceEx*", "*currentVersion\\\\run*", "*currentVersion\\\\policies\\\\explorer\\\\run*", "*currentcontrolset\\\\services*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\reg\\.exe)(?=.*(?:.*.*currentVersion\\windows.*|.*.*currentVersion\\runServicesOnce.*|.*.*currentVersion\\runServices.*|.*.*winlogon\\.*|.*.*currentVersion\\shellServiceObjectDelayLoad.*|.*.*currentVersion\\runOnce.*|.*.*currentVersion\\runOnceEx.*|.*.*currentVersion\\run.*|.*.*currentVersion\\policies\\explorer\\run.*|.*.*currentcontrolset\\services.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_ransomware_shadowcopy.md b/Atomic_Threat_Coverage/Detection_Rules/win_ransomware_shadowcopy.md
index e7f64d4..30c08e2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_ransomware_shadowcopy.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_ransomware_shadowcopy.md
@@ -3,7 +3,7 @@
 | Description          | Detects commands that delete all local volume shadow copies as used by different Ransomware families                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | critical |
@@ -49,6 +49,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*vssadmin\\ delete\\ shadows* OR *wmic\\ SHADOWCOPY\\ DELETE*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Ransomware-Deletes-Volume-Shadow-Copies <<EOF\n{\n  "metadata": {\n    "title": "Ransomware Deletes Volume Shadow Copies",\n    "description": "Detects commands that delete all local volume shadow copies as used by different Ransomware families",\n    "tags": "",\n    "query": "CommandLine.keyword:(*vssadmin\\\\ delete\\\\ shadows* OR *wmic\\\\ SHADOWCOPY\\\\ DELETE*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*vssadmin\\\\ delete\\\\ shadows* OR *wmic\\\\ SHADOWCOPY\\\\ DELETE*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Ransomware Deletes Volume Shadow Copies\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*vssadmin delete shadows* *wmic SHADOWCOPY DELETE*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*vssadmin delete shadows*", "*wmic SHADOWCOPY DELETE*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*vssadmin delete shadows.*|.*.*wmic SHADOWCOPY DELETE.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
index 9542371..8e24a35 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
@@ -46,6 +46,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rare-Scheduled-Task-Creations <<EOF\n{\n  "metadata": {\n    "title": "Rare Scheduled Task Creations",\n    "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.",\n    "tags": [\n      "attack.persistence",\n      "attack.t1053",\n      "attack.s0111"\n    ],\n    "query": "EventID:\\"106\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "7d"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:\\"106\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "TaskName.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "asc"\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.doc_count": {\n        "lt": 5\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Rare Scheduled Task Creations\'",\n        "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -53,4 +74,18 @@ EventID="106" | eventstats count as val by TaskName| search val < 5
 ```
 
 
+### logpoint
+    
+```
+event_id="106" | chart count() as val by TaskName | search val < 5
+```
+
+
+### grep
+    
+```
+grep -P '^106'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
index 5b00018..9111c38 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
@@ -50,6 +50,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rare-Schtasks-Creations <<EOF\n{\n  "metadata": {\n    "title": "Rare Schtasks Creations",\n    "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code",\n    "tags": [\n      "attack.execution",\n      "attack.privilege_escalation",\n      "attack.persistence",\n      "attack.t1053",\n      "car.2013-08-001"\n    ],\n    "query": "EventID:\\"4698\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "7d"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:\\"4698\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "TaskName.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "asc"\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.doc_count": {\n        "lt": 5\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Rare Schtasks Creations\'",\n        "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ EventID="4698" | eventstats count as val by TaskName| search val < 5
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4698") | chart count() as val by TaskName | search val < 5
+```
+
+
+### grep
+    
+```
+grep -P '^4698'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md b/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
index 2572cc2..73a1026 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
@@ -47,6 +47,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Rare-Service-Installs <<EOF\n{\n  "metadata": {\n    "title": "Rare Service Installs",\n    "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1050",\n      "car.2013-09-005"\n    ],\n    "query": "EventID:\\"7045\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "7d"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:\\"7045\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "ServiceFileName.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "asc"\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.doc_count": {\n        "lt": 5\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Rare Service Installs\'",\n        "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ EventID="7045" | eventstats count as val by ServiceFileName| search val < 5
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="7045") | chart count() as val by ServiceFileName | search val < 5
+```
+
+
+### grep
+    
+```
+grep -P '^7045'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
index 8442919..83706b5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_bluekeep_poc_scanner.md
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:"4625" AND AccountName:"AAAAAAA")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Scanner-PoC-for-CVE-2019-0708-RDP-RCE-vuln <<EOF\n{\n  "metadata": {\n    "title": "Scanner PoC for CVE-2019-0708 RDP RCE vuln",\n    "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1210",\n      "car.2013-07-002"\n    ],\n    "query": "(EventID:\\"4625\\" AND AccountName:\\"AAAAAAA\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4625\\" AND AccountName:\\"AAAAAAA\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Scanner PoC for CVE-2019-0708 RDP RCE vuln\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4625" AND AccountName:"AAAAAAA")
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4625" AccountName="AAAAAAA")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4625)(?=.*AAAAAAA))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md
index 93ff8ba..61f93fb 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_localhost_login.md
@@ -52,6 +52,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4624" AND LogonType:"10" AND SourceNetworkAddress:("\\:\\:1" OR "127.0.0.1"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RDP-Login-from-localhost <<EOF\n{\n  "metadata": {\n    "title": "RDP Login from localhost",\n    "description": "RDP login with localhost source address may be a tunnelled login",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1076",\n      "car.2013-07-002"\n    ],\n    "query": "(EventID:\\"4624\\" AND LogonType:\\"10\\" AND SourceNetworkAddress:(\\"\\\\:\\\\:1\\" OR \\"127.0.0.1\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4624\\" AND LogonType:\\"10\\" AND SourceNetworkAddress:(\\"\\\\:\\\\:1\\" OR \\"127.0.0.1\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'RDP Login from localhost\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4624" AND LogonType:"10" AND SourceNetworkAddress:("\\:\\:1" "127.0.0.1"))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="10" SourceNetworkAddress IN ["::1", "127.0.0.1"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4624)(?=.*10)(?=.*(?:.*::1|.*127\\.0\\.0\\.1)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
index 2f6b9c3..90d4b11 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_potential_cve-2019-0708.md
@@ -53,6 +53,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:("56" OR "50") AND Source:"TermDD")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Potential-RDP-exploit-CVE-2019-0708 <<EOF\n{\n  "metadata": {\n    "title": "Potential RDP exploit CVE-2019-0708",\n    "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708",\n    "tags": [\n      "attack.initial_access",\n      "attack.lateral_movement",\n      "attack.t1210",\n      "attack.t1190",\n      "car.2013-07-002"\n    ],\n    "query": "(EventID:(\\"56\\" OR \\"50\\") AND Source:\\"TermDD\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"56\\" OR \\"50\\") AND Source:\\"TermDD\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Potential RDP exploit CVE-2019-0708\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("56" "50") AND Source:"TermDD")
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["56", "50"] Source="TermDD")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*56|.*50))(?=.*TermDD))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
index 450c244..43e4caf 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_rdp_reverse_tunnel.md
@@ -58,6 +58,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"5156" AND ((SourcePort:"3389" AND DestinationAddress.keyword:(127.* OR \\:\\:1)) OR (DestinationPort:"3389" AND SourceAddress.keyword:(127.* OR \\:\\:1))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RDP-over-Reverse-SSH-Tunnel-WFP <<EOF\n{\n  "metadata": {\n    "title": "RDP over Reverse SSH Tunnel WFP",\n    "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.command_and_control",\n      "attack.t1076",\n      "car.2013-07-002"\n    ],\n    "query": "(EventID:\\"5156\\" AND ((SourcePort:\\"3389\\" AND DestinationAddress.keyword:(127.* OR \\\\:\\\\:1)) OR (DestinationPort:\\"3389\\" AND SourceAddress.keyword:(127.* OR \\\\:\\\\:1))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"5156\\" AND ((SourcePort:\\"3389\\" AND DestinationAddress.keyword:(127.* OR \\\\:\\\\:1)) OR (DestinationPort:\\"3389\\" AND SourceAddress.keyword:(127.* OR \\\\:\\\\:1))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'RDP over Reverse SSH Tunnel WFP\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"5156" AND ((SourcePort:"3389" AND DestinationAddress.keyword:(127.* \\:\\:1)) OR (DestinationPort:"3389" AND SourceAddress.keyword:(127.* \\:\\:1))))
+```
+
+
 ### splunk
     
 ```
@@ -65,4 +86,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="5156" ((SourcePort="3389" DestinationAddress IN ["127.*", "::1"]) OR (DestinationPort="3389" SourceAddress IN ["127.*", "::1"])))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*5156)(?=.*(?:.*(?:.*(?:.*(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))|.*(?:.*(?=.*3389)(?=.*(?:.*127\\..*|.*::1)))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md
index 23cbf3a..817c567 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_binary.md
@@ -82,6 +82,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(OriginalFileName:("cmd.exe" OR "powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe" OR "7z.exe" OR "winrar.exe") AND (NOT (Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Renamed-Binary <<EOF\n{\n  "metadata": {\n    "title": "Renamed Binary",\n    "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.",\n    "tags": [\n      "attack.t1036",\n      "attack.defense_evasion"\n    ],\n    "query": "(OriginalFileName:(\\"cmd.exe\\" OR \\"powershell.exe\\" OR \\"powershell_ise.exe\\" OR \\"psexec.exe\\" OR \\"psexec.c\\" OR \\"cscript.exe\\" OR \\"wscript.exe\\" OR \\"mshta.exe\\" OR \\"regsvr32.exe\\" OR \\"wmic.exe\\" OR \\"certutil.exe\\" OR \\"rundll32.exe\\" OR \\"cmstp.exe\\" OR \\"msiexec.exe\\" OR \\"7z.exe\\" OR \\"winrar.exe\\") AND (NOT (Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\powershell_ise.exe OR *\\\\\\\\psexec.exe OR *\\\\\\\\psexec64.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\mshta.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\wmic.exe OR *\\\\\\\\certutil.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\cmstp.exe OR *\\\\\\\\msiexec.exe OR *\\\\\\\\7z.exe OR *\\\\\\\\winrar.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(OriginalFileName:(\\"cmd.exe\\" OR \\"powershell.exe\\" OR \\"powershell_ise.exe\\" OR \\"psexec.exe\\" OR \\"psexec.c\\" OR \\"cscript.exe\\" OR \\"wscript.exe\\" OR \\"mshta.exe\\" OR \\"regsvr32.exe\\" OR \\"wmic.exe\\" OR \\"certutil.exe\\" OR \\"rundll32.exe\\" OR \\"cmstp.exe\\" OR \\"msiexec.exe\\" OR \\"7z.exe\\" OR \\"winrar.exe\\") AND (NOT (Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\powershell_ise.exe OR *\\\\\\\\psexec.exe OR *\\\\\\\\psexec64.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\mshta.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\wmic.exe OR *\\\\\\\\certutil.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\cmstp.exe OR *\\\\\\\\msiexec.exe OR *\\\\\\\\7z.exe OR *\\\\\\\\winrar.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Renamed Binary\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(OriginalFileName:("cmd.exe" "powershell.exe" "powershell_ise.exe" "psexec.exe" "psexec.c" "cscript.exe" "wscript.exe" "mshta.exe" "regsvr32.exe" "wmic.exe" "certutil.exe" "rundll32.exe" "cmstp.exe" "msiexec.exe" "7z.exe" "winrar.exe") AND (NOT (Image.keyword:(*\\\\cmd.exe *\\\\powershell.exe *\\\\powershell_ise.exe *\\\\psexec.exe *\\\\psexec64.exe *\\\\cscript.exe *\\\\wscript.exe *\\\\mshta.exe *\\\\regsvr32.exe *\\\\wmic.exe *\\\\certutil.exe *\\\\rundll32.exe *\\\\cmstp.exe *\\\\msiexec.exe *\\\\7z.exe *\\\\winrar.exe))))
+```
+
+
 ### splunk
     
 ```
@@ -89,4 +110,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" OriginalFileName IN ["cmd.exe", "powershell.exe", "powershell_ise.exe", "psexec.exe", "psexec.c", "cscript.exe", "wscript.exe", "mshta.exe", "regsvr32.exe", "wmic.exe", "certutil.exe", "rundll32.exe", "cmstp.exe", "msiexec.exe", "7z.exe", "winrar.exe"]  -(Image IN ["*\\\\cmd.exe", "*\\\\powershell.exe", "*\\\\powershell_ise.exe", "*\\\\psexec.exe", "*\\\\psexec64.exe", "*\\\\cscript.exe", "*\\\\wscript.exe", "*\\\\mshta.exe", "*\\\\regsvr32.exe", "*\\\\wmic.exe", "*\\\\certutil.exe", "*\\\\rundll32.exe", "*\\\\cmstp.exe", "*\\\\msiexec.exe", "*\\\\7z.exe", "*\\\\winrar.exe"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*cmd\\.exe|.*powershell\\.exe|.*powershell_ise\\.exe|.*psexec\\.exe|.*psexec\\.c|.*cscript\\.exe|.*wscript\\.exe|.*mshta\\.exe|.*regsvr32\\.exe|.*wmic\\.exe|.*certutil\\.exe|.*rundll32\\.exe|.*cmstp\\.exe|.*msiexec\\.exe|.*7z\\.exe|.*winrar\\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\cmd\\.exe|.*.*\\powershell\\.exe|.*.*\\powershell_ise\\.exe|.*.*\\psexec\\.exe|.*.*\\psexec64\\.exe|.*.*\\cscript\\.exe|.*.*\\wscript\\.exe|.*.*\\mshta\\.exe|.*.*\\regsvr32\\.exe|.*.*\\wmic\\.exe|.*.*\\certutil\\.exe|.*.*\\rundll32\\.exe|.*.*\\cmstp\\.exe|.*.*\\msiexec\\.exe|.*.*\\7z\\.exe|.*.*\\winrar\\.exe))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md
index 380894d..84cad95 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_renamed_paexec.md
@@ -58,6 +58,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+((Product.keyword:(*PAExec*) AND Imphash:("11D40A7B7876288F919AB819CC2D9802" OR "6444f8a34e99b8f7d9647de66aabe516" OR "dfd6aa3f7b2b1035b76b718f1ddc689f" OR "1a6cca4d5460b1710a12dea39e4a592c")) AND (NOT (Image.keyword:*paexec*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Execution-of-Renamed-PaExec <<EOF\n{\n  "metadata": {\n    "title": "Execution of Renamed PaExec",\n    "description": "Detects execution of renamed paexec via imphash and executable product string",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036",\n      "FIN7",\n      "car.2013-05-009"\n    ],\n    "query": "((Product.keyword:(*PAExec*) AND Imphash:(\\"11D40A7B7876288F919AB819CC2D9802\\" OR \\"6444f8a34e99b8f7d9647de66aabe516\\" OR \\"dfd6aa3f7b2b1035b76b718f1ddc689f\\" OR \\"1a6cca4d5460b1710a12dea39e4a592c\\")) AND (NOT (Image.keyword:*paexec*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Product.keyword:(*PAExec*) AND Imphash:(\\"11D40A7B7876288F919AB819CC2D9802\\" OR \\"6444f8a34e99b8f7d9647de66aabe516\\" OR \\"dfd6aa3f7b2b1035b76b718f1ddc689f\\" OR \\"1a6cca4d5460b1710a12dea39e4a592c\\")) AND (NOT (Image.keyword:*paexec*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Execution of Renamed PaExec\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Product.keyword:(*PAExec*) AND Imphash:("11D40A7B7876288F919AB819CC2D9802" "6444f8a34e99b8f7d9647de66aabe516" "dfd6aa3f7b2b1035b76b718f1ddc689f" "1a6cca4d5460b1710a12dea39e4a592c")) AND (NOT (Image.keyword:*paexec*)))
+```
+
+
 ### splunk
     
 ```
@@ -65,4 +86,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (event_id="1" Product IN ["*PAExec*"] Imphash IN ["11D40A7B7876288F919AB819CC2D9802", "6444f8a34e99b8f7d9647de66aabe516", "dfd6aa3f7b2b1035b76b718f1ddc689f", "1a6cca4d5460b1710a12dea39e4a592c"])  -(Image="*paexec*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*PAExec.*))(?=.*(?:.*11D40A7B7876288F919AB819CC2D9802|.*6444f8a34e99b8f7d9647de66aabe516|.*dfd6aa3f7b2b1035b76b718f1ddc689f|.*1a6cca4d5460b1710a12dea39e4a592c))))(?=.*(?!.*(?:.*(?=.*.*paexec.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md b/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
index 880cfb6..de14669 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_sdbinst_shim_persistence.md
@@ -3,7 +3,7 @@
 | Description          | Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1138: Application Shimming](https://attack.mitre.org/techniques/T1138)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1138: Application Shimming](../Triggers/T1138.md)</li></ul>  |
 | Severity Level       | high |
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\sdbinst.exe) AND CommandLine.keyword:(*.sdb*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Shim-Database-Persistence-via-sdbinst.exe <<EOF\n{\n  "metadata": {\n    "title": "Possible Shim Database Persistence via sdbinst.exe",\n    "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.",\n    "tags": [\n      "attack.persistence",\n      "attack.t1138"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\sdbinst.exe) AND CommandLine.keyword:(*.sdb*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\sdbinst.exe) AND CommandLine.keyword:(*.sdb*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Shim Database Persistence via sdbinst.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\sdbinst.exe) AND CommandLine.keyword:(*.sdb*))
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\sdbinst.exe"] CommandLine IN ["*.sdb*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\sdbinst\\.exe))(?=.*(?:.*.*\\.sdb.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md
index a433bb7..5a9645f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_service_execution.md
@@ -50,6 +50,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND CommandLine:/.*start.*[a-zA-Z0-9]/)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Service-Execution <<EOF\n{\n  "metadata": {\n    "title": "Service Execution",\n    "description": "Detects manual service execution (start) via system utilities",\n    "tags": [\n      "attack.execution",\n      "attack.t1035"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe) AND CommandLine:/.*start.*[a-zA-Z0-9]/)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe) AND CommandLine:/.*start.*[a-zA-Z0-9]/)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Service Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\net.exe *\\\\net1.exe) AND CommandLine:/.*start.*[a-zA-Z0-9]/)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+
+```
+
+
+### grep
+    
+```
+
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md b/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md
index 60ce24d..1532d9f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_shell_spawn_susp_program.md
@@ -67,6 +67,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND Image.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\ccmcache\\\\*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-Shell-Spawning-Suspicious-Program <<EOF\n{\n  "metadata": {\n    "title": "Windows Shell Spawning Suspicious Program",\n    "description": "Detects a suspicious child process of a Windows shell",\n    "tags": [\n      "attack.execution",\n      "attack.defense_evasion",\n      "attack.t1064"\n    ],\n    "query": "((ParentImage.keyword:(*\\\\\\\\mshta.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\wmiprvse.exe) AND Image.keyword:(*\\\\\\\\schtasks.exe OR *\\\\\\\\nslookup.exe OR *\\\\\\\\certutil.exe OR *\\\\\\\\bitsadmin.exe OR *\\\\\\\\mshta.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\\\\\ccmcache\\\\\\\\*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:(*\\\\\\\\mshta.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\wmiprvse.exe) AND Image.keyword:(*\\\\\\\\schtasks.exe OR *\\\\\\\\nslookup.exe OR *\\\\\\\\certutil.exe OR *\\\\\\\\bitsadmin.exe OR *\\\\\\\\mshta.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\\\\\ccmcache\\\\\\\\*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Windows Shell Spawning Suspicious Program\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:(*\\\\mshta.exe *\\\\powershell.exe *\\\\rundll32.exe *\\\\cscript.exe *\\\\wscript.exe *\\\\wmiprvse.exe) AND Image.keyword:(*\\\\schtasks.exe *\\\\nslookup.exe *\\\\certutil.exe *\\\\bitsadmin.exe *\\\\mshta.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\ccmcache\\\\*)))
+```
+
+
 ### splunk
     
 ```
@@ -74,4 +95,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (ParentImage IN ["*\\\\mshta.exe", "*\\\\powershell.exe", "*\\\\rundll32.exe", "*\\\\cscript.exe", "*\\\\wscript.exe", "*\\\\wmiprvse.exe"] Image IN ["*\\\\schtasks.exe", "*\\\\nslookup.exe", "*\\\\certutil.exe", "*\\\\bitsadmin.exe", "*\\\\mshta.exe"])  -(CurrentDirectory="*\\\\ccmcache\\\\*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\\mshta\\.exe|.*.*\\powershell\\.exe|.*.*\\rundll32\\.exe|.*.*\\cscript\\.exe|.*.*\\wscript\\.exe|.*.*\\wmiprvse\\.exe))(?=.*(?:.*.*\\schtasks\\.exe|.*.*\\nslookup\\.exe|.*.*\\certutil\\.exe|.*.*\\bitsadmin\\.exe|.*.*\\mshta\\.exe))))(?=.*(?!.*(?:.*(?=.*.*\\ccmcache\\\\.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md b/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md
index 09e2ef3..977f1ee 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_spn_enum.md
@@ -50,6 +50,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\setspn.exe OR Description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND CommandLine.keyword:*\\-q*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-SPN-Enumeration <<EOF\n{\n  "metadata": {\n    "title": "Possible SPN Enumeration",\n    "description": "Detects Service Principal Name Enumeration used for Kerberoasting",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1208"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\setspn.exe OR Description.keyword:*Query\\\\ or\\\\ reset\\\\ the\\\\ computer*\\\\ SPN\\\\ attribute*) AND CommandLine.keyword:*\\\\-q*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\setspn.exe OR Description.keyword:*Query\\\\ or\\\\ reset\\\\ the\\\\ computer*\\\\ SPN\\\\ attribute*) AND CommandLine.keyword:*\\\\-q*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible SPN Enumeration\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\setspn.exe OR Description.keyword:*Query or reset the computer* SPN attribute*) AND CommandLine.keyword:*\\-q*)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\setspn.exe" OR Description="*Query or reset the computer* SPN attribute*") CommandLine="*-q*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.*.*\\setspn\\.exe|.*.*Query or reset the computer.* SPN attribute.*)))(?=.*.*-q.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
index 07b7828..3e8d533 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_add_sid_history.md
@@ -3,7 +3,7 @@
 | Description          | An attacker can use the SID history attribute to gain additional privileges.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1178: SID-History Injection](https://attack.mitre.org/techniques/T1178)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0027_4738_user_account_was_changed](../Data_Needed/DN_0027_4738_user_account_was_changed.md)</li><li>[DN_0074_4765_sid_history_was_added_to_an_account](../Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md)</li><li>[DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed](../Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0027_4738_user_account_was_changed](../Data_Needed/DN_0027_4738_user_account_was_changed.md)</li><li>[DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed](../Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md)</li><li>[DN_0074_4765_sid_history_was_added_to_an_account](../Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1178: SID-History Injection](../Triggers/T1178.md)</li></ul>  |
 | Severity Level       | low |
@@ -54,6 +54,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+(EventID:("4765" OR "4766") OR (EventID:"4738" AND (NOT (SidHistory:("\\-" OR "%%1793")))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Addition-of-SID-History-to-Active-Directory-Object <<EOF\n{\n  "metadata": {\n    "title": "Addition of SID History to Active Directory Object",\n    "description": "An attacker can use the SID history attribute to gain additional privileges.",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1178"\n    ],\n    "query": "(EventID:(\\"4765\\" OR \\"4766\\") OR (EventID:\\"4738\\" AND (NOT (SidHistory:(\\"\\\\-\\" OR \\"%%1793\\")))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"4765\\" OR \\"4766\\") OR (EventID:\\"4738\\" AND (NOT (SidHistory:(\\"\\\\-\\" OR \\"%%1793\\")))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Addition of SID History to Active Directory Object\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("4765" "4766") OR (EventID:"4738" AND (NOT (SidHistory:("\\-" "%%1793")))))
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id IN ["4765", "4766"] OR (event_source="Microsoft-Windows-Security-Auditing" event_id="4738"  -(SidHistory IN ["-", "%%1793"]))))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*4765|.*4766)|.*(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?=.*(?:.*-|.*%%1793))))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
index 4151c66..f1d3989 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_backup_delete.md
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(EventID:"524" AND Source:"Backup")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Backup-Catalog-Deleted <<EOF\n{\n  "metadata": {\n    "title": "Backup Catalog Deleted",\n    "description": "Detects backup catalog deletions",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1107"\n    ],\n    "query": "(EventID:\\"524\\" AND Source:\\"Backup\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"524\\" AND Source:\\"Backup\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Backup Catalog Deleted\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"524" AND Source:"Backup")
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="524" Source="Backup")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*524)(?=.*Backup))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
index 8a4c4ec..ecb5ab3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_bcdedit.md
@@ -50,6 +50,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Ransomware-or-unauthorized-MBR-modifications <<EOF\n{\n  "metadata": {\n    "title": "Possible Ransomware or unauthorized MBR modifications",\n    "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1070",\n      "attack.persistence",\n      "attack.t1067"\n    ],\n    "query": "(NewProcessName.keyword:*\\\\\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(NewProcessName.keyword:*\\\\\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Ransomware or unauthorized MBR modifications\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* *deletevalue* *import*))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" NewProcessName="*\\\\bcdedit.exe" ProcessCommandLine IN ["*delete*", "*deletevalue*", "*import*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\bcdedit\\.exe)(?=.*(?:.*.*delete.*|.*.*deletevalue.*|.*.*import.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md
index 41a26f6..61aa8a1 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_bginfo.md
@@ -52,6 +52,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\bginfo.exe AND CommandLine.keyword:*\\/popup* AND CommandLine.keyword:*\\/nolicprompt*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Application-whitelisting-bypass-via-bginfo <<EOF\n{\n  "metadata": {\n    "title": "Application whitelisting bypass via bginfo",\n    "description": "Execute VBscript code that is referenced within the *.bgi file.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\bginfo.exe AND CommandLine.keyword:*\\\\/popup* AND CommandLine.keyword:*\\\\/nolicprompt*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\bginfo.exe AND CommandLine.keyword:*\\\\/popup* AND CommandLine.keyword:*\\\\/nolicprompt*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Application whitelisting bypass via bginfo\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\bginfo.exe AND CommandLine.keyword:*\\/popup* AND CommandLine.keyword:*\\/nolicprompt*)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\bginfo.exe" CommandLine="*/popup*" CommandLine="*/nolicprompt*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\bginfo\\.exe)(?=.*.*/popup.*)(?=.*.*/nolicprompt.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
index d572e09..175b98d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_calc.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -50,6 +50,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*\\\\calc.exe\\ * OR (Image.keyword:*\\\\calc.exe AND (NOT (Image.keyword:*\\\\Windows\\\\Sys*))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Calculator-Usage <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Calculator Usage",\n    "description": "Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(CommandLine.keyword:*\\\\\\\\calc.exe\\\\ * OR (Image.keyword:*\\\\\\\\calc.exe AND (NOT (Image.keyword:*\\\\\\\\Windows\\\\\\\\Sys*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*\\\\\\\\calc.exe\\\\ * OR (Image.keyword:*\\\\\\\\calc.exe AND (NOT (Image.keyword:*\\\\\\\\Windows\\\\\\\\Sys*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Calculator Usage\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*\\\\calc.exe * OR (Image.keyword:*\\\\calc.exe AND (NOT (Image.keyword:*\\\\Windows\\\\Sys*))))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine="*\\\\calc.exe *" OR (event_id="1" Image="*\\\\calc.exe"  -(Image="*\\\\Windows\\\\Sys*"))))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*.*\\calc\\.exe .*|.*(?:.*(?=.*.*\\calc\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\Windows\\Sys.*)))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md
index d2fa04e..c48169e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cdb.md
@@ -50,6 +50,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\cdb.exe AND CommandLine.keyword:*\\-cf*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Application-Whitelisting-Bypass-via-WinDbg/CDB-as-a-shellcode-runner <<EOF\n{\n  "metadata": {\n    "title": "Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner",\n    "description": "Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\cdb.exe AND CommandLine.keyword:*\\\\-cf*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\cdb.exe AND CommandLine.keyword:*\\\\-cf*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\cdb.exe AND CommandLine.keyword:*\\-cf*)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\cdb.exe" CommandLine="*-cf*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\cdb\\.exe)(?=.*.*-cf.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
index c5ae2f6..5c2d5b9 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_command.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1105: Remote File Copy](https://attack.mitre.org/techniques/T1105)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1105: Remote File Copy](../Triggers/T1105.md)</li></ul>  |
 | Severity Level       | high |
@@ -73,6 +73,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Certutil-Command <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Certutil Command",\n    "description": "Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1140",\n      "attack.t1105",\n      "attack.s0189",\n      "attack.g0007"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ \\\\-decode\\\\ * OR *\\\\ \\\\/decode\\\\ * OR *\\\\ \\\\-decodehex\\\\ * OR *\\\\ \\\\/decodehex\\\\ * OR *\\\\ \\\\-urlcache\\\\ * OR *\\\\ \\\\/urlcache\\\\ * OR *\\\\ \\\\-verifyctl\\\\ * OR *\\\\ \\\\/verifyctl\\\\ * OR *\\\\ \\\\-encode\\\\ * OR *\\\\ \\\\/encode\\\\ * OR *certutil*\\\\ \\\\-URL* OR *certutil*\\\\ \\\\/URL* OR *certutil*\\\\ \\\\-ping* OR *certutil*\\\\ \\\\/ping*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ \\\\-decode\\\\ * OR *\\\\ \\\\/decode\\\\ * OR *\\\\ \\\\-decodehex\\\\ * OR *\\\\ \\\\/decodehex\\\\ * OR *\\\\ \\\\-urlcache\\\\ * OR *\\\\ \\\\/urlcache\\\\ * OR *\\\\ \\\\-verifyctl\\\\ * OR *\\\\ \\\\/verifyctl\\\\ * OR *\\\\ \\\\-encode\\\\ * OR *\\\\ \\\\/encode\\\\ * OR *certutil*\\\\ \\\\-URL* OR *certutil*\\\\ \\\\/URL* OR *certutil*\\\\ \\\\-ping* OR *certutil*\\\\ \\\\/ping*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Certutil Command\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* \\-decode * * \\/decode * * \\-decodehex * * \\/decodehex * * \\-urlcache * * \\/urlcache * * \\-verifyctl * * \\/verifyctl * * \\-encode * * \\/encode * *certutil* \\-URL* *certutil* \\/URL* *certutil* \\-ping* *certutil* \\/ping*)
+```
+
+
 ### splunk
     
 ```
@@ -80,4 +101,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* -decode *", "* /decode *", "* -decodehex *", "* /decodehex *", "* -urlcache *", "* /urlcache *", "* -verifyctl *", "* /verifyctl *", "* -encode *", "* /encode *", "*certutil* -URL*", "*certutil* /URL*", "*certutil* -ping*", "*certutil* /ping*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* -decode .*|.*.* /decode .*|.*.* -decodehex .*|.*.* /decodehex .*|.*.* -urlcache .*|.*.* /urlcache .*|.*.* -verifyctl .*|.*.* /verifyctl .*|.*.* -encode .*|.*.* /encode .*|.*.*certutil.* -URL.*|.*.*certutil.* /URL.*|.*.*certutil.* -ping.*|.*.*certutil.* /ping.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
index e879566..567037b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_certutil_encode.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Certutil-Encode <<EOF\n{\n  "metadata": {\n    "title": "Certutil Encode",\n    "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration",\n    "tags": "",\n    "query": "CommandLine.keyword:(certutil\\\\ \\\\-f\\\\ \\\\-encode\\\\ * OR certutil.exe\\\\ \\\\-f\\\\ \\\\-encode\\\\ * OR certutil\\\\ \\\\-encode\\\\ \\\\-f\\\\ * OR certutil.exe\\\\ \\\\-encode\\\\ \\\\-f\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(certutil\\\\ \\\\-f\\\\ \\\\-encode\\\\ * OR certutil.exe\\\\ \\\\-f\\\\ \\\\-encode\\\\ * OR certutil\\\\ \\\\-encode\\\\ \\\\-f\\\\ * OR certutil.exe\\\\ \\\\-encode\\\\ \\\\-f\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Certutil Encode\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(certutil \\-f \\-encode * certutil.exe \\-f \\-encode * certutil \\-encode \\-f * certutil.exe \\-encode \\-f *)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["certutil -f -encode *", "certutil.exe -f -encode *", "certutil -encode -f *", "certutil.exe -encode -f *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*certutil -f -encode .*|.*certutil\\.exe -f -encode .*|.*certutil -encode -f .*|.*certutil\\.exe -encode -f .*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
index 37f811c..e339d61 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious process that use escape characters                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul>  |
 | Severity Level       | low |
@@ -53,6 +53,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+CommandLine:("\\^h\\^t\\^t\\^p" OR "h\\"t\\"t\\"p")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Commandline-Escape <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Commandline Escape",\n    "description": "Detects suspicious process that use escape characters",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1140"\n    ],\n    "query": "CommandLine:(\\"\\\\^h\\\\^t\\\\^t\\\\^p\\" OR \\"h\\\\\\"t\\\\\\"t\\\\\\"p\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine:(\\"\\\\^h\\\\^t\\\\^t\\\\^p\\" OR \\"h\\\\\\"t\\\\\\"t\\\\\\"p\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Commandline Escape\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine:("\\^h\\^t\\^t\\^p" "h\\"t\\"t\\"p")
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["^h^t^t^p", "h\\"t\\"t\\"p"])
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*\\^h\\^t\\^t\\^p|.*h"t"t"p)\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
index 1afbeba..58995db 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_cmd_http_appdata.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li></ul>  |
 | Severity Level       | medium |
@@ -52,6 +52,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Command-Line-Execution-with-suspicious-URL-and-AppData-Strings <<EOF\n{\n  "metadata": {\n    "title": "Command Line Execution with suspicious URL and AppData Strings",\n    "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)",\n    "tags": [\n      "attack.execution",\n      "attack.t1059"\n    ],\n    "query": "CommandLine.keyword:(cmd.exe\\\\ \\\\/c\\\\ *http\\\\:\\\\/\\\\/*%AppData% OR cmd.exe\\\\ \\\\/c\\\\ *https\\\\:\\\\/\\\\/*%AppData%)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(cmd.exe\\\\ \\\\/c\\\\ *http\\\\:\\\\/\\\\/*%AppData% OR cmd.exe\\\\ \\\\/c\\\\ *https\\\\:\\\\/\\\\/*%AppData%)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Command Line Execution with suspicious URL and AppData Strings\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(cmd.exe \\/c *http\\:\\/\\/*%AppData% cmd.exe \\/c *https\\:\\/\\/*%AppData%)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["cmd.exe /c *http://*%AppData%", "cmd.exe /c *https://*%AppData%"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*cmd\\.exe /c .*http://.*%AppData%|.*cmd\\.exe /c .*https://.*%AppData%)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md
index a62dd67..1a08314 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_codepage_switch.md
@@ -3,7 +3,7 @@
 | Description          | Detects a code page switch in command line or batch scripts to a rare language                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -52,6 +52,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(chcp*\\ 936 OR chcp*\\ 1258)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Code-Page-Switch <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Code Page Switch",\n    "description": "Detects a code page switch in command line or batch scripts to a rare language",\n    "tags": "",\n    "query": "CommandLine.keyword:(chcp*\\\\ 936 OR chcp*\\\\ 1258)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(chcp*\\\\ 936 OR chcp*\\\\ 1258)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Code Page Switch\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(chcp* 936 chcp* 1258)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["chcp* 936", "chcp* 1258"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*chcp.* 936|.*chcp.* 1258)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
index 156155e..160c28a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
@@ -3,7 +3,7 @@
 | Description          | Detects a set of commands often used in recon stages by different attack groups                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li><li>[T1082: System Information Discovery](https://attack.mitre.org/techniques/T1082)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li><li>[T1082: System Information Discovery](../Triggers/T1082.md)</li></ul>  |
 | Severity Level       | medium |
@@ -69,6 +69,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Reconnaissance-Activity-with-Net-Command <<EOF\n{\n  "metadata": {\n    "title": "Reconnaissance Activity with Net Command",\n    "description": "Detects a set of commands often used in recon stages by different attack groups",\n    "tags": [\n      "attack.discovery",\n      "attack.t1087",\n      "attack.t1082",\n      "car.2016-03-001"\n    ],\n    "query": "CommandLine.keyword:(tasklist OR net\\\\ time OR systeminfo OR whoami OR nbtstat OR net\\\\ start OR *\\\\\\\\net1\\\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\\\\\net1\\\\ user\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"Exchange\\\\ Trusted\\\\ Subsystem\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ accounts\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ user\\\\ net\\\\ localgroup\\\\ administrators OR netstat\\\\ \\\\-an)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "15s"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(tasklist OR net\\\\ time OR systeminfo OR whoami OR nbtstat OR net\\\\ start OR *\\\\\\\\net1\\\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\\\\\net1\\\\ user\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"Exchange\\\\ Trusted\\\\ Subsystem\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ accounts\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ user\\\\ net\\\\ localgroup\\\\ administrators OR netstat\\\\ \\\\-an)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "CommandLine.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "desc"\n                },\n                "min_doc_count": 5\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.doc_count": {\n        "gt": 4\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Reconnaissance Activity with Net Command\'",\n        "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -76,4 +97,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["tasklist", "net time", "systeminfo", "whoami", "nbtstat", "net start", "*\\\\net1 start", "qprocess", "nslookup", "hostname.exe", "*\\\\net1 user /domain", "*\\\\net1 group /domain", "*\\\\net1 group \\"domain admins\\" /domain", "*\\\\net1 group \\"Exchange Trusted Subsystem\\" /domain", "*\\\\net1 accounts /domain", "*\\\\net1 user net localgroup administrators", "netstat -an"]) | chart count() as val by CommandLine | search val > 4
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*tasklist|.*net time|.*systeminfo|.*whoami|.*nbtstat|.*net start|.*.*\\net1 start|.*qprocess|.*nslookup|.*hostname\\.exe|.*.*\\net1 user /domain|.*.*\\net1 group /domain|.*.*\\net1 group "domain admins" /domain|.*.*\\net1 group "Exchange Trusted Subsystem" /domain|.*.*\\net1 accounts /domain|.*.*\\net1 user net localgroup administrators|.*netstat -an)\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md
index 99dd776..b52c07c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_compression_params.md
@@ -59,6 +59,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND CommandLine.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (ParentImage.keyword:C\\:\\\\Program*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Compression-Tool-Parameters <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Compression Tool Parameters",\n    "description": "Detects suspicious command line arguments of common data compression tools",\n    "tags": [\n      "attack.exfiltration",\n      "attack.t1020",\n      "attack.t1002"\n    ],\n    "query": "((OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND CommandLine.keyword:(*\\\\ \\\\-p* OR *\\\\ \\\\-ta* OR *\\\\ \\\\-tb* OR *\\\\ \\\\-sdel* OR *\\\\ \\\\-dw* OR *\\\\ \\\\-hp*)) AND (NOT (ParentImage.keyword:C\\\\:\\\\\\\\Program*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND CommandLine.keyword:(*\\\\ \\\\-p* OR *\\\\ \\\\-ta* OR *\\\\ \\\\-tb* OR *\\\\ \\\\-sdel* OR *\\\\ \\\\-dw* OR *\\\\ \\\\-hp*)) AND (NOT (ParentImage.keyword:C\\\\:\\\\\\\\Program*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Compression Tool Parameters\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((OriginalFileName.keyword:(7z*.exe *rar.exe *Command*Line*RAR*) AND CommandLine.keyword:(* \\-p* * \\-ta* * \\-tb* * \\-sdel* * \\-dw* * \\-hp*)) AND (NOT (ParentImage.keyword:C\\:\\\\Program*)))
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (OriginalFileName IN ["7z*.exe", "*rar.exe", "*Command*Line*RAR*"] CommandLine IN ["* -p*", "* -ta*", "* -tb*", "* -sdel*", "* -dw*", "* -hp*"])  -(ParentImage="C:\\\\Program*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*7z.*\\.exe|.*.*rar\\.exe|.*.*Command.*Line.*RAR.*))(?=.*(?:.*.* -p.*|.*.* -ta.*|.*.* -tb.*|.*.* -sdel.*|.*.* -dw.*|.*.* -hp.*))))(?=.*(?!.*(?:.*(?=.*C:\\Program.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md
index 5b01131..19d8a91 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_comsvcs_procdump.md
@@ -56,6 +56,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\rundll32.exe OR OriginalFileName:"RUNDLL32.EXE") AND CommandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Process-dump-via-comsvcs-DLL <<EOF\n{\n  "metadata": {\n    "title": "Process dump via comsvcs DLL",\n    "description": "Detects process memory dump via comsvcs.dll and rundll32",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\rundll32.exe OR OriginalFileName:\\"RUNDLL32.EXE\\") AND CommandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\rundll32.exe OR OriginalFileName:\\"RUNDLL32.EXE\\") AND CommandLine.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Process dump via comsvcs DLL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\rundll32.exe OR OriginalFileName:"RUNDLL32.EXE") AND CommandLine.keyword:(*comsvcs*MiniDump*full* *comsvcs*MiniDumpW*full*))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE") CommandLine IN ["*comsvcs*MiniDump*full*", "*comsvcs*MiniDumpW*full*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.*.*\\rundll32\\.exe|.*RUNDLL32\\.EXE)))(?=.*(?:.*.*comsvcs.*MiniDump.*full.*|.*.*comsvcs.*MiniDumpW.*full.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
index 5c40e81..3fdfbb5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_control_dll_load.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul>  |
 | Severity Level       | high |
@@ -54,6 +54,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:*\\\\System32\\\\control.exe AND CommandLine.keyword:*\\\\rundll32.exe\\ *) AND (NOT (CommandLine.keyword:*Shell32.dll*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Control-Panel-DLL-Load <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Control Panel DLL Load",\n    "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1073",\n      "attack.t1085",\n      "car.2013-10-002"\n    ],\n    "query": "((ParentImage.keyword:*\\\\\\\\System32\\\\\\\\control.exe AND CommandLine.keyword:*\\\\\\\\rundll32.exe\\\\ *) AND (NOT (CommandLine.keyword:*Shell32.dll*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:*\\\\\\\\System32\\\\\\\\control.exe AND CommandLine.keyword:*\\\\\\\\rundll32.exe\\\\ *) AND (NOT (CommandLine.keyword:*Shell32.dll*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Control Panel DLL Load\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:*\\\\System32\\\\control.exe AND CommandLine.keyword:*\\\\rundll32.exe *) AND (NOT (CommandLine.keyword:*Shell32.dll*)))
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (ParentImage="*\\\\System32\\\\control.exe" CommandLine="*\\\\rundll32.exe *")  -(CommandLine="*Shell32.dll*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\System32\\control\\.exe)(?=.*.*\\rundll32\\.exe .*)))(?=.*(?!.*(?:.*(?=.*.*Shell32\\.dll.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
index e828336..ef49027 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious parent of csc.exe, which could by a sign of payload delivery                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -50,6 +50,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\csc.exe* AND ParentImage.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Parent-of-Csc.exe <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Parent of Csc.exe",\n    "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\csc.exe* AND ParentImage.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\mshta.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\csc.exe* AND ParentImage.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\mshta.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Parent of Csc.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\csc.exe* AND ParentImage.keyword:(*\\\\wscript.exe *\\\\cscript.exe *\\\\mshta.exe))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\csc.exe*" ParentImage IN ["*\\\\wscript.exe", "*\\\\cscript.exe", "*\\\\mshta.exe"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\csc\\.exe.*)(?=.*(?:.*.*\\wscript\\.exe|.*.*\\cscript\\.exe|.*.*\\mshta\\.exe)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md
index e88f688..ecbc071 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_csc_folder.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1500: Compile After Delivery](https://attack.mitre.org/techniques/T1500)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1500: Compile After Delivery](../Triggers/T1500.md)</li></ul>  |
 | Severity Level       | high |
@@ -52,6 +52,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\csc.exe AND CommandLine.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Csc.exe-Source-File-Folder <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Csc.exe Source File Folder",\n    "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1500"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\csc.exe AND CommandLine.keyword:(*\\\\\\\\AppData\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\csc.exe AND CommandLine.keyword:(*\\\\\\\\AppData\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Csc.exe Source File Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\csc.exe AND CommandLine.keyword:(*\\\\AppData\\\\* *\\\\Windows\\\\Temp\\\\*))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\csc.exe" CommandLine IN ["*\\\\AppData\\\\*", "*\\\\Windows\\\\Temp\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\csc\\.exe)(?=.*(?:.*.*\\AppData\\\\.*|.*.*\\Windows\\Temp\\\\.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md
index d1c48fe..ac75086 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_devtoolslauncher.md
@@ -50,6 +50,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\devtoolslauncher.exe AND CommandLine.keyword:*LaunchForDeploy*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Devtoolslauncher.exe-executes-specified-binary <<EOF\n{\n  "metadata": {\n    "title": "Devtoolslauncher.exe executes specified binary",\n    "description": "The Devtoolslauncher.exe executes other binary",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\devtoolslauncher.exe AND CommandLine.keyword:*LaunchForDeploy*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\devtoolslauncher.exe AND CommandLine.keyword:*LaunchForDeploy*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Devtoolslauncher.exe executes specified binary\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\devtoolslauncher.exe AND CommandLine.keyword:*LaunchForDeploy*)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\devtoolslauncher.exe" CommandLine="*LaunchForDeploy*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\devtoolslauncher\\.exe)(?=.*.*LaunchForDeploy.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
index 9322b39..e788edd 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+EventID:"1033"
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/DHCP-Server-Loaded-the-CallOut-DLL <<EOF\n{\n  "metadata": {\n    "title": "DHCP Server Loaded the CallOut DLL",\n    "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1073"\n    ],\n    "query": "EventID:\\"1033\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:\\"1033\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'DHCP Server Loaded the CallOut DLL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+EventID:"1033"
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ EventID="1033"
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="1033")
+```
+
+
+### grep
+    
+```
+grep -P '^1033'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
index 399e395..864806b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config_failed.md
@@ -3,7 +3,7 @@
 | Description          | This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0049_1034_dhcp_service_failed_to_load_callout_dlls](../Data_Needed/DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.md)</li><li>[DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception](../Data_Needed/DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md)</li><li>[DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception](../Data_Needed/DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception](../Data_Needed/DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.md)</li><li>[DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception](../Data_Needed/DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.md)</li><li>[DN_0049_1034_dhcp_service_failed_to_load_callout_dlls](../Data_Needed/DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul>  |
 | Severity Level       | critical |
@@ -53,6 +53,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+(EventID:("1031" OR "1032" OR "1034") AND Source:"Microsoft\\-Windows\\-DHCP\\-Server")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/DHCP-Server-Error-Failed-Loading-the-CallOut-DLL <<EOF\n{\n  "metadata": {\n    "title": "DHCP Server Error Failed Loading the CallOut DLL",\n    "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1073"\n    ],\n    "query": "(EventID:(\\"1031\\" OR \\"1032\\" OR \\"1034\\") AND Source:\\"Microsoft\\\\-Windows\\\\-DHCP\\\\-Server\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"1031\\" OR \\"1032\\" OR \\"1034\\") AND Source:\\"Microsoft\\\\-Windows\\\\-DHCP\\\\-Server\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'DHCP Server Error Failed Loading the CallOut DLL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("1031" "1032" "1034") AND Source:"Microsoft\\-Windows\\-DHCP\\-Server")
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["1031", "1032", "1034"] Source="Microsoft-Windows-DHCP-Server")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*1031|.*1032|.*1034))(?=.*Microsoft-Windows-DHCP-Server))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md
index 771ae8c..be58b7e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dns_config.md
@@ -3,7 +3,7 @@
 | Description          | This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0036_150_dns_server_could_not_load_dll](../Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md)</li><li>[DN_0043_770_dns_server_plugin_dll_has_been_loaded](../Data_Needed/DN_0043_770_dns_server_plugin_dll_has_been_loaded.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0043_770_dns_server_plugin_dll_has_been_loaded](../Data_Needed/DN_0043_770_dns_server_plugin_dll_has_been_loaded.md)</li><li>[DN_0036_150_dns_server_could_not_load_dll](../Data_Needed/DN_0036_150_dns_server_could_not_load_dll.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul>  |
 | Severity Level       | critical |
@@ -52,6 +52,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+EventID:("150" OR "770")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/DNS-Server-Error-Failed-Loading-the-ServerLevelPluginDLL <<EOF\n{\n  "metadata": {\n    "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL",\n    "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1073"\n    ],\n    "query": "EventID:(\\"150\\" OR \\"770\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:(\\"150\\" OR \\"770\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'DNS Server Error Failed Loading the ServerLevelPluginDLL\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+EventID:("150" "770")
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_source="DNS Server" event_id IN ["150", "770"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*150|.*770)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md
index 8dd368d..f9bab2e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dnx.md
@@ -49,6 +49,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+Image.keyword:*\\\\dnx.exe
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Application-Whitelisting-bypass-via-dnx.exe <<EOF\n{\n  "metadata": {\n    "title": "Application Whitelisting bypass via dnx.exe",\n    "description": "Execute C# code located in the consoleapp folder",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "Image.keyword:*\\\\\\\\dnx.exe"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:*\\\\\\\\dnx.exe",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Application Whitelisting bypass via dnx.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:*\\\\dnx.exe
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ Image="*\\\\dnx.exe"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\dnx.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\dnx\\.exe'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
index c436df6..7afd42f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_double_extension.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1193: Spearphishing Attachment](../Triggers/T1193.md)</li></ul>  |
 | Severity Level       | critical |
@@ -58,6 +58,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+Image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Double-Extension <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Double Extension",\n    "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns",\n    "tags": [\n      "attack.initial_access",\n      "attack.t1193"\n    ],\n    "query": "Image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\\\ \\\\ \\\\ \\\\ \\\\ \\\\ .exe OR *______.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\\\ \\\\ \\\\ \\\\ \\\\ \\\\ .exe OR *______.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Double Extension\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:(*.doc.exe *.docx.exe *.xls.exe *.xlsx.exe *.ppt.exe *.pptx.exe *.rtf.exe *.pdf.exe *.txt.exe *      .exe *______.exe)
+```
+
+
 ### splunk
     
 ```
@@ -65,4 +86,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*.doc.exe", "*.docx.exe", "*.xls.exe", "*.xlsx.exe", "*.ppt.exe", "*.pptx.exe", "*.rtf.exe", "*.pdf.exe", "*.txt.exe", "*      .exe", "*______.exe"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\.doc\\.exe|.*.*\\.docx\\.exe|.*.*\\.xls\\.exe|.*.*\\.xlsx\\.exe|.*.*\\.ppt\\.exe|.*.*\\.pptx\\.exe|.*.*\\.rtf\\.exe|.*.*\\.pdf\\.exe|.*.*\\.txt\\.exe|.*.*      \\.exe|.*.*______\\.exe)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md
index 823c192..a4a544c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dsrm_password_change.md
@@ -46,6 +46,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+EventID:"4794"
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Password-Change-on-Directory-Service-Restore-Mode-DSRM-Account <<EOF\n{\n  "metadata": {\n    "title": "Password Change on Directory Service Restore Mode (DSRM) Account",\n    "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1098"\n    ],\n    "query": "EventID:\\"4794\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:\\"4794\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Password Change on Directory Service Restore Mode (DSRM) Account\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+EventID:"4794"
+```
+
+
 ### splunk
     
 ```
@@ -53,4 +74,18 @@ EventID="4794"
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4794")
+```
+
+
+### grep
+    
+```
+grep -P '^4794'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md
index 9b98002..35aecb6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_dxcap.md
@@ -52,6 +52,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\dxcap.exe AND CommandLine.keyword:*\\-c* AND CommandLine.keyword:*.exe*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Application-Whitelisting-bypass-via-dxcap.exe <<EOF\n{\n  "metadata": {\n    "title": "Application Whitelisting bypass via dxcap.exe",\n    "description": "Detects execution of of Dxcap.exe",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\dxcap.exe AND CommandLine.keyword:*\\\\-c* AND CommandLine.keyword:*.exe*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\dxcap.exe AND CommandLine.keyword:*\\\\-c* AND CommandLine.keyword:*.exe*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Application Whitelisting bypass via dxcap.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\dxcap.exe AND CommandLine.keyword:*\\-c* AND CommandLine.keyword:*.exe*)
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\dxcap.exe" CommandLine="*-c*" CommandLine="*.exe*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\dxcap\\.exe)(?=.*.*-c.*)(?=.*.*\\.exe.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md
index ceb8726..8315a37 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_clear.md
@@ -56,6 +56,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\wevtutil.exe OR OriginalFileName:"wevtutil.exe") AND (CommandLine.keyword:*\\ cl\\ * OR CommandLine.keyword:*\\ clear\\-log\\ * OR CommandLine.keyword:*\\ sl\\ * OR CommandLine.keyword:*\\ set\\-log\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-eventlog-clear-or-configuration-using-wevtutil <<EOF\n{\n  "metadata": {\n    "title": "Suspicious eventlog clear or configuration using wevtutil",\n    "description": "Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others)",\n    "tags": [\n      "attack.execution",\n      "attack.t1070",\n      "car.2016-04-002"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\wevtutil.exe OR OriginalFileName:\\"wevtutil.exe\\") AND (CommandLine.keyword:*\\\\ cl\\\\ * OR CommandLine.keyword:*\\\\ clear\\\\-log\\\\ * OR CommandLine.keyword:*\\\\ sl\\\\ * OR CommandLine.keyword:*\\\\ set\\\\-log\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\wevtutil.exe OR OriginalFileName:\\"wevtutil.exe\\") AND (CommandLine.keyword:*\\\\ cl\\\\ * OR CommandLine.keyword:*\\\\ clear\\\\-log\\\\ * OR CommandLine.keyword:*\\\\ sl\\\\ * OR CommandLine.keyword:*\\\\ set\\\\-log\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious eventlog clear or configuration using wevtutil\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\wevtutil.exe OR OriginalFileName:"wevtutil.exe") AND (CommandLine.keyword:* cl * OR CommandLine.keyword:* clear\\-log * OR CommandLine.keyword:* sl * OR CommandLine.keyword:* set\\-log *))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\wevtutil.exe" OR OriginalFileName="wevtutil.exe") (CommandLine="* cl *" OR CommandLine="* clear-log *" OR CommandLine="* sl *" OR CommandLine="* set-log *"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.*.*\\wevtutil\\.exe|.*wevtutil\\.exe)))(?=.*(?:.*(?:.*.* cl .*|.*.* clear-log .*|.*.* sl .*|.*.* set-log .*))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
index 78157d7..44aabee 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_eventlog_cleared.md
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(EventID:"104" AND Source:"Microsoft\\-Windows\\-Eventlog")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Eventlog-Cleared <<EOF\n{\n  "metadata": {\n    "title": "Eventlog Cleared",\n    "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \\"wevtutil cl\\" command execution",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1070",\n      "car.2016-04-002"\n    ],\n    "query": "(EventID:\\"104\\" AND Source:\\"Microsoft\\\\-Windows\\\\-Eventlog\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"104\\" AND Source:\\"Microsoft\\\\-Windows\\\\-Eventlog\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Eventlog Cleared\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"104" AND Source:"Microsoft\\-Windows\\-Eventlog")
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="104" Source="Microsoft-Windows-Eventlog")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*104)(?=.*Microsoft-Windows-Eventlog))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
index 75fff8c..a01d5c6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_exec_folder.md
@@ -3,7 +3,7 @@
 | Description          | Detects process starts of binaries from a suspicious folder                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -64,6 +64,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Image.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Executables-Started-in-Suspicious-Folder <<EOF\n{\n  "metadata": {\n    "title": "Executables Started in Suspicious Folder",\n    "description": "Detects process starts of binaries from a suspicious folder",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "Image.keyword:(C\\\\:\\\\\\\\PerfLogs\\\\\\\\* OR C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR C\\\\:\\\\\\\\Intel\\\\\\\\Logs\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\NetworkService\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Media\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\repair\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\security\\\\\\\\* OR *\\\\\\\\RSA\\\\\\\\MachineKeys\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:(C\\\\:\\\\\\\\PerfLogs\\\\\\\\* OR C\\\\:\\\\\\\\$Recycle.bin\\\\\\\\* OR C\\\\:\\\\\\\\Intel\\\\\\\\Logs\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Users\\\\\\\\NetworkService\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Media\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\repair\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\security\\\\\\\\* OR *\\\\\\\\RSA\\\\\\\\MachineKeys\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Executables Started in Suspicious Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:(C\\:\\\\PerfLogs\\\\* C\\:\\\\$Recycle.bin\\\\* C\\:\\\\Intel\\\\Logs\\\\* C\\:\\\\Users\\\\Default\\\\* C\\:\\\\Users\\\\Public\\\\* C\\:\\\\Users\\\\NetworkService\\\\* C\\:\\\\Windows\\\\Fonts\\\\* C\\:\\\\Windows\\\\Debug\\\\* C\\:\\\\Windows\\\\Media\\\\* C\\:\\\\Windows\\\\Help\\\\* C\\:\\\\Windows\\\\addins\\\\* C\\:\\\\Windows\\\\repair\\\\* C\\:\\\\Windows\\\\security\\\\* *\\\\RSA\\\\MachineKeys\\\\* C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -71,4 +92,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["C:\\\\PerfLogs\\\\*", "C:\\\\$Recycle.bin\\\\*", "C:\\\\Intel\\\\Logs\\\\*", "C:\\\\Users\\\\Default\\\\*", "C:\\\\Users\\\\Public\\\\*", "C:\\\\Users\\\\NetworkService\\\\*", "C:\\\\Windows\\\\Fonts\\\\*", "C:\\\\Windows\\\\Debug\\\\*", "C:\\\\Windows\\\\Media\\\\*", "C:\\\\Windows\\\\Help\\\\*", "C:\\\\Windows\\\\addins\\\\*", "C:\\\\Windows\\\\repair\\\\*", "C:\\\\Windows\\\\security\\\\*", "*\\\\RSA\\\\MachineKeys\\\\*", "C:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*C:\\PerfLogs\\\\.*|.*C:\\\\$Recycle\\.bin\\\\.*|.*C:\\Intel\\Logs\\\\.*|.*C:\\Users\\Default\\\\.*|.*C:\\Users\\Public\\\\.*|.*C:\\Users\\NetworkService\\\\.*|.*C:\\Windows\\Fonts\\\\.*|.*C:\\Windows\\Debug\\\\.*|.*C:\\Windows\\Media\\\\.*|.*C:\\Windows\\Help\\\\.*|.*C:\\Windows\\addins\\\\.*|.*C:\\Windows\\repair\\\\.*|.*C:\\Windows\\security\\\\.*|.*.*\\RSA\\MachineKeys\\\\.*|.*C:\\Windows\\system32\\config\\systemprofile\\\\.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
index 064b721..cce45b3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious exection from an uncommon folder                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Image.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Execution-in-Non-Executable-Folder <<EOF\n{\n  "metadata": {\n    "title": "Execution in Non-Executable Folder",\n    "description": "Detects a suspicious exection from an uncommon folder",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "Image.keyword:(*\\\\\\\\$Recycle.bin OR *\\\\\\\\Users\\\\\\\\All\\\\ Users\\\\\\\\* OR *\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Perflogs\\\\\\\\* OR *\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\IME\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:(*\\\\\\\\$Recycle.bin OR *\\\\\\\\Users\\\\\\\\All\\\\ Users\\\\\\\\* OR *\\\\\\\\Users\\\\\\\\Default\\\\\\\\* OR *\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Perflogs\\\\\\\\* OR *\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\IME\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Execution in Non-Executable Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:(*\\\\$Recycle.bin *\\\\Users\\\\All Users\\\\* *\\\\Users\\\\Default\\\\* *\\\\Users\\\\Public\\\\* C\\:\\\\Perflogs\\\\* *\\\\config\\\\systemprofile\\\\* *\\\\Windows\\\\Fonts\\\\* *\\\\Windows\\\\IME\\\\* *\\\\Windows\\\\addins\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\All Users\\\\*", "*\\\\Users\\\\Default\\\\*", "*\\\\Users\\\\Public\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\config\\\\systemprofile\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\\\$Recycle\\.bin|.*.*\\Users\\All Users\\\\.*|.*.*\\Users\\Default\\\\.*|.*.*\\Users\\Public\\\\.*|.*C:\\Perflogs\\\\.*|.*.*\\config\\systemprofile\\\\.*|.*.*\\Windows\\Fonts\\\\.*|.*.*\\Windows\\IME\\\\.*|.*.*\\Windows\\addins\\\\.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
index cf78e89..d4a74f6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_execution_path_webserver.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious program execution in a web service root folder (filter out false positives)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul>  |
 | Severity Level       | medium |
@@ -57,6 +57,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (Image.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND ParentImage.keyword:(*\\\\services.exe))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Execution-in-Webserver-Root-Folder <<EOF\n{\n  "metadata": {\n    "title": "Execution in Webserver Root Folder",\n    "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)",\n    "tags": [\n      "attack.persistence",\n      "attack.t1100"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\wwwroot\\\\\\\\* OR *\\\\\\\\wmpub\\\\\\\\* OR *\\\\\\\\htdocs\\\\\\\\*) AND (NOT (Image.keyword:(*bin\\\\\\\\* OR *\\\\\\\\Tools\\\\\\\\* OR *\\\\\\\\SMSComponent\\\\\\\\*) AND ParentImage.keyword:(*\\\\\\\\services.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\wwwroot\\\\\\\\* OR *\\\\\\\\wmpub\\\\\\\\* OR *\\\\\\\\htdocs\\\\\\\\*) AND (NOT (Image.keyword:(*bin\\\\\\\\* OR *\\\\\\\\Tools\\\\\\\\* OR *\\\\\\\\SMSComponent\\\\\\\\*) AND ParentImage.keyword:(*\\\\\\\\services.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Execution in Webserver Root Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\wwwroot\\\\* *\\\\wmpub\\\\* *\\\\htdocs\\\\*) AND (NOT (Image.keyword:(*bin\\\\* *\\\\Tools\\\\* *\\\\SMSComponent\\\\*) AND ParentImage.keyword:(*\\\\services.exe))))
+```
+
+
 ### splunk
     
 ```
@@ -64,4 +85,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\wwwroot\\\\*", "*\\\\wmpub\\\\*", "*\\\\htdocs\\\\*"]  -(Image IN ["*bin\\\\*", "*\\\\Tools\\\\*", "*\\\\SMSComponent\\\\*"] ParentImage IN ["*\\\\services.exe"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\wwwroot\\\\.*|.*.*\\wmpub\\\\.*|.*.*\\htdocs\\\\.*))(?=.*(?!.*(?:.*(?=.*(?:.*.*bin\\\\.*|.*.*\\Tools\\\\.*|.*.*\\SMSComponent\\\\.*))(?=.*(?:.*.*\\services\\.exe))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
index 6960bb7..fa643f7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logon_reasons.md
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:("4625" OR "4776") AND Status:("0xC0000072" OR "0xC000006F" OR "0xC0000070" OR "0xC0000413" OR "0xC000018C" OR "0xC000015B"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Account-Tampering---Suspicious-Failed-Logon-Reasons <<EOF\n{\n  "metadata": {\n    "title": "Account Tampering - Suspicious Failed Logon Reasons",\n    "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1078"\n    ],\n    "query": "(EventID:(\\"4625\\" OR \\"4776\\") AND Status:(\\"0xC0000072\\" OR \\"0xC000006F\\" OR \\"0xC0000070\\" OR \\"0xC0000413\\" OR \\"0xC000018C\\" OR \\"0xC000015B\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"4625\\" OR \\"4776\\") AND Status:(\\"0xC0000072\\" OR \\"0xC000006F\\" OR \\"0xC0000070\\" OR \\"0xC0000413\\" OR \\"0xC000018C\\" OR \\"0xC000015B\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Account Tampering - Suspicious Failed Logon Reasons\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("4625" "4776") AND Status:("0xC0000072" "0xC000006F" "0xC0000070" "0xC0000413" "0xC000018C" "0xC000015B"))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4625", "4776"] Status IN ["0xC0000072", "0xC000006F", "0xC0000070", "0xC0000413", "0xC000018C", "0xC000015B"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*4625|.*4776))(?=.*(?:.*0xC0000072|.*0xC000006F|.*0xC0000070|.*0xC0000413|.*0xC000018C|.*0xC000015B)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
index 7748827..f704614 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious failed logins with different user accounts from a single source system                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0041_529_logon_failure](../Data_Needed/DN_0041_529_logon_failure.md)</li><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account](../Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account](../Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md)</li><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0041_529_logon_failure](../Data_Needed/DN_0041_529_logon_failure.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1078: Valid Accounts](../Triggers/T1078.md)</li></ul>  |
 | Severity Level       | medium |
@@ -59,6 +59,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Multiple-Failed-Logins-with-Different-Accounts-from-Single-Source-System <<EOF\n{\n  "metadata": {\n    "title": "Multiple Failed Logins with Different Accounts from Single Source System",\n    "description": "Detects suspicious failed logins with different user accounts from a single source system",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1078"\n    ],\n    "query": "(EventID:(\\"529\\" OR \\"4625\\") AND UserName.keyword:* AND WorkstationName.keyword:*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "24h"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"529\\" OR \\"4625\\") AND UserName.keyword:* AND WorkstationName.keyword:*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "WorkstationName.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "desc"\n                },\n                "min_doc_count": 4\n              },\n              "aggs": {\n                "agg": {\n                  "terms": {\n                    "field": "UserName.keyword",\n                    "size": 10,\n                    "order": {\n                      "_count": "desc"\n                    },\n                    "min_doc_count": 4\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {\n        "gt": 3\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Multiple Failed Logins with Different Accounts from Single Source System\'",\n        "body": "Hits:\\n{{#aggregations.agg.buckets}}\\n {{key}} {{doc_count}}\\n\\n{{#by.buckets}}\\n-- {{key}} {{doc_count}}\\n{{/by.buckets}}\\n\\n{{/aggregations.agg.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Multiple-Failed-Logins-with-Different-Accounts-from-Single-Source-System-2 <<EOF\n{\n  "metadata": {\n    "title": "Multiple Failed Logins with Different Accounts from Single Source System",\n    "description": "Detects suspicious failed logins with different user accounts from a single source system",\n    "tags": [\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1078"\n    ],\n    "query": "(EventID:\\"4776\\" AND UserName.keyword:* AND Workstation.keyword:*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "24h"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4776\\" AND UserName.keyword:* AND Workstation.keyword:*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          },\n          "aggs": {\n            "by": {\n              "terms": {\n                "field": "Workstation.keyword",\n                "size": 10,\n                "order": {\n                  "_count": "desc"\n                },\n                "min_doc_count": 4\n              },\n              "aggs": {\n                "agg": {\n                  "terms": {\n                    "field": "UserName.keyword",\n                    "size": 10,\n                    "order": {\n                      "_count": "desc"\n                    },\n                    "min_doc_count": 4\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {\n        "gt": 3\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Multiple Failed Logins with Different Accounts from Single Source System\'",\n        "body": "Hits:\\n{{#aggregations.agg.buckets}}\\n {{key}} {{doc_count}}\\n\\n{{#by.buckets}}\\n-- {{key}} {{doc_count}}\\n{{/by.buckets}}\\n\\n{{/aggregations.agg.buckets}}\\n",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*529|.*4625))(?=.*.*)(?=.*.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md
index 27fee1c..039ce4e 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_firewall_disable.md
@@ -3,7 +3,7 @@
 | Description          | Detects netsh commands that turns off the Windows firewall                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Firewall-Disabled-via-Netsh <<EOF\n{\n  "metadata": {\n    "title": "Firewall Disabled via Netsh",\n    "description": "Detects netsh commands that turns off the Windows firewall",\n    "tags": [\n      "attack.defense_evasion"\n    ],\n    "query": "CommandLine.keyword:(netsh\\\\ firewall\\\\ set\\\\ opmode\\\\ mode\\\\=disable OR netsh\\\\ advfirewall\\\\ set\\\\ *\\\\ state\\\\ off)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(netsh\\\\ firewall\\\\ set\\\\ opmode\\\\ mode\\\\=disable OR netsh\\\\ advfirewall\\\\ set\\\\ *\\\\ state\\\\ off)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Firewall Disabled via Netsh\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(netsh firewall set opmode mode=disable netsh advfirewall set * state off)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["netsh firewall set opmode mode=disable", "netsh advfirewall set * state off"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*netsh firewall set opmode mode=disable|.*netsh advfirewall set .* state off)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md
index 85cb1a8..8cd97a7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_fsutil_usage.md
@@ -52,6 +52,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\fsutil.exe OR OriginalFileName:"fsutil.exe") AND CommandLine.keyword:(*\\ deletejournal\\ * OR *\\ createjournal\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Fsutil-suspicious-invocation <<EOF\n{\n  "metadata": {\n    "title": "Fsutil suspicious invocation",\n    "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)",\n    "tags": "",\n    "query": "((Image.keyword:*\\\\\\\\fsutil.exe OR OriginalFileName:\\"fsutil.exe\\") AND CommandLine.keyword:(*\\\\ deletejournal\\\\ * OR *\\\\ createjournal\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\fsutil.exe OR OriginalFileName:\\"fsutil.exe\\") AND CommandLine.keyword:(*\\\\ deletejournal\\\\ * OR *\\\\ createjournal\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Fsutil suspicious invocation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\fsutil.exe OR OriginalFileName:"fsutil.exe") AND CommandLine.keyword:(* deletejournal * * createjournal *))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\fsutil.exe" OR OriginalFileName="fsutil.exe") CommandLine IN ["* deletejournal *", "* createjournal *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.*.*\\fsutil\\.exe|.*fsutil\\.exe)))(?=.*(?:.*.* deletejournal .*|.*.* createjournal .*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
index 7437d1e..0b5b1dc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_gup.md
@@ -3,7 +3,7 @@
 | Description          | Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1073: DLL Side-Loading](https://attack.mitre.org/techniques/T1073)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1073: DLL Side-Loading](../Triggers/T1073.md)</li></ul>  |
 | Severity Level       | high |
@@ -52,6 +52,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\GUP.exe AND (NOT (Image.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-GUP-Usage <<EOF\n{\n  "metadata": {\n    "title": "Suspicious GUP Usage",\n    "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1073"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\GUP.exe AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe OR C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe OR C\\\\:\\\\\\\\Program\\\\ Files\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe OR C\\\\:\\\\\\\\Program\\\\ Files\\\\ \\\\(x86\\\\)\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\GUP.exe AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe OR C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe OR C\\\\:\\\\\\\\Program\\\\ Files\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe OR C\\\\:\\\\\\\\Program\\\\ Files\\\\ \\\\(x86\\\\)\\\\\\\\Notepad\\\\+\\\\+\\\\\\\\updater\\\\\\\\gup.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious GUP Usage\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\GUP.exe AND (NOT (Image.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe C\\:\\\\Program Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe C\\:\\\\Program Files \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\GUP.exe"  -(Image IN ["C:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\gup.exe", "C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\gup.exe", "C:\\\\Program Files\\\\Notepad++\\\\updater\\\\gup.exe", "C:\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\gup.exe"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\GUP\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Users\\\\.*\\AppData\\Local\\Notepad\\+\\+\\updater\\gup\\.exe|.*C:\\Users\\\\.*\\AppData\\Roaming\\Notepad\\+\\+\\updater\\gup\\.exe|.*C:\\Program Files\\Notepad\\+\\+\\updater\\gup\\.exe|.*C:\\Program Files \\(x86\\)\\Notepad\\+\\+\\updater\\gup\\.exe))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
index 2d58ba3..0123d48 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_interactive_logons.md
@@ -3,7 +3,7 @@
 | Description          | Detects interactive console logons to                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1078: Valid Accounts](https://attack.mitre.org/techniques/T1078)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0041_529_logon_failure](../Data_Needed/DN_0041_529_logon_failure.md)</li><li>[DN_0040_528_user_successfully_logged_on_to_a_computer](../Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md)</li><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0004_4624_windows_account_logon](../Data_Needed/DN_0004_4624_windows_account_logon.md)</li><li>[DN_0040_528_user_successfully_logged_on_to_a_computer](../Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md)</li><li>[DN_0057_4625_account_failed_to_logon](../Data_Needed/DN_0057_4625_account_failed_to_logon.md)</li><li>[DN_0041_529_logon_failure](../Data_Needed/DN_0041_529_logon_failure.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1078: Valid Accounts](../Triggers/T1078.md)</li></ul>  |
 | Severity Level       | medium |
@@ -55,6 +55,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((EventID:("528" OR "529" OR "4624" OR "4625") AND LogonType:"2" AND ComputerName:("%ServerSystems%" OR "%DomainControllers%")) AND (NOT (LogonProcessName:"Advapi" AND ComputerName:"%Workstations%")))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Interactive-Logon-to-Server-Systems <<EOF\n{\n  "metadata": {\n    "title": "Interactive Logon to Server Systems",\n    "description": "Detects interactive console logons to",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1078"\n    ],\n    "query": "((EventID:(\\"528\\" OR \\"529\\" OR \\"4624\\" OR \\"4625\\") AND LogonType:\\"2\\" AND ComputerName:(\\"%ServerSystems%\\" OR \\"%DomainControllers%\\")) AND (NOT (LogonProcessName:\\"Advapi\\" AND ComputerName:\\"%Workstations%\\")))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:(\\"528\\" OR \\"529\\" OR \\"4624\\" OR \\"4625\\") AND LogonType:\\"2\\" AND ComputerName:(\\"%ServerSystems%\\" OR \\"%DomainControllers%\\")) AND (NOT (LogonProcessName:\\"Advapi\\" AND ComputerName:\\"%Workstations%\\")))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Interactive Logon to Server Systems\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:("528" "529" "4624" "4625") AND LogonType:"2" AND ComputerName:("%ServerSystems%" "%DomainControllers%")) AND (NOT (LogonProcessName:"Advapi" AND ComputerName:"%Workstations%")))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id IN ["528", "529", "4624", "4625"] logon_type="2" ComputerName IN ["%ServerSystems%", "%DomainControllers%"])  -(logon_process="Advapi" ComputerName="%Workstations%"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*528|.*529|.*4624|.*4625))(?=.*2)(?=.*(?:.*%ServerSystems%|.*%DomainControllers%))))(?=.*(?!.*(?:.*(?=.*Advapi)(?=.*%Workstations%)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
index 4075fd4..449346d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious IIS native-code module installations via command line                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul>  |
 | Severity Level       | medium |
@@ -47,6 +47,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/IIS-Native-Code-Module-Command-Line-Installation <<EOF\n{\n  "metadata": {\n    "title": "IIS Native-Code Module Command Line Installation",\n    "description": "Detects suspicious IIS native-code module installations via command line",\n    "tags": [\n      "attack.persistence",\n      "attack.t1100"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\APPCMD.EXE\\\\ install\\\\ module\\\\ \\\\/name\\\\:*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\APPCMD.EXE\\\\ install\\\\ module\\\\ \\\\/name\\\\:*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'IIS Native-Code Module Command Line Installation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\APPCMD.EXE install module \\/name\\:*)
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\APPCMD.EXE install module /name:*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\APPCMD\\.EXE install module /name:.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
index aa5e1c1..ad19d5b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_kerberos_manipulation.md
@@ -3,7 +3,7 @@
 | Description          | This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1212: Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0077_4769_kerberos_service_ticket_was_requested](../Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md)</li><li>[DN_0078_4771_kerberos_pre_authentication_failed](../Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md)</li><li>[DN_0042_675_kerberos_preauthentication_failed](../Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md)</li><li>[DN_0076_4768_kerberos_authentication_ticket_was_requested](../Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0042_675_kerberos_preauthentication_failed](../Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md)</li><li>[DN_0077_4769_kerberos_service_ticket_was_requested](../Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md)</li><li>[DN_0078_4771_kerberos_pre_authentication_failed](../Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md)</li><li>[DN_0076_4768_kerberos_authentication_ticket_was_requested](../Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1212: Exploitation for Credential Access](../Triggers/T1212.md)</li></ul>  |
 | Severity Level       | high |
@@ -77,6 +77,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:("675" OR "4768" OR "4769" OR "4771") AND FailureCode:("0x9" OR "0xA" OR "0xB" OR "0xF" OR "0x10" OR "0x11" OR "0x13" OR "0x14" OR "0x1A" OR "0x1F" OR "0x21" OR "0x22" OR "0x23" OR "0x24" OR "0x26" OR "0x27" OR "0x28" OR "0x29" OR "0x2C" OR "0x2D" OR "0x2E" OR "0x2F" OR "0x31" OR "0x32" OR "0x3E" OR "0x3F" OR "0x40" OR "0x41" OR "0x43" OR "0x44"))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Kerberos-Manipulation <<EOF\n{\n  "metadata": {\n    "title": "Kerberos Manipulation",\n    "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1212"\n    ],\n    "query": "(EventID:(\\"675\\" OR \\"4768\\" OR \\"4769\\" OR \\"4771\\") AND FailureCode:(\\"0x9\\" OR \\"0xA\\" OR \\"0xB\\" OR \\"0xF\\" OR \\"0x10\\" OR \\"0x11\\" OR \\"0x13\\" OR \\"0x14\\" OR \\"0x1A\\" OR \\"0x1F\\" OR \\"0x21\\" OR \\"0x22\\" OR \\"0x23\\" OR \\"0x24\\" OR \\"0x26\\" OR \\"0x27\\" OR \\"0x28\\" OR \\"0x29\\" OR \\"0x2C\\" OR \\"0x2D\\" OR \\"0x2E\\" OR \\"0x2F\\" OR \\"0x31\\" OR \\"0x32\\" OR \\"0x3E\\" OR \\"0x3F\\" OR \\"0x40\\" OR \\"0x41\\" OR \\"0x43\\" OR \\"0x44\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"675\\" OR \\"4768\\" OR \\"4769\\" OR \\"4771\\") AND FailureCode:(\\"0x9\\" OR \\"0xA\\" OR \\"0xB\\" OR \\"0xF\\" OR \\"0x10\\" OR \\"0x11\\" OR \\"0x13\\" OR \\"0x14\\" OR \\"0x1A\\" OR \\"0x1F\\" OR \\"0x21\\" OR \\"0x22\\" OR \\"0x23\\" OR \\"0x24\\" OR \\"0x26\\" OR \\"0x27\\" OR \\"0x28\\" OR \\"0x29\\" OR \\"0x2C\\" OR \\"0x2D\\" OR \\"0x2E\\" OR \\"0x2F\\" OR \\"0x31\\" OR \\"0x32\\" OR \\"0x3E\\" OR \\"0x3F\\" OR \\"0x40\\" OR \\"0x41\\" OR \\"0x43\\" OR \\"0x44\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Kerberos Manipulation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("675" "4768" "4769" "4771") AND FailureCode:("0x9" "0xA" "0xB" "0xF" "0x10" "0x11" "0x13" "0x14" "0x1A" "0x1F" "0x21" "0x22" "0x23" "0x24" "0x26" "0x27" "0x28" "0x29" "0x2C" "0x2D" "0x2E" "0x2F" "0x31" "0x32" "0x3E" "0x3F" "0x40" "0x41" "0x43" "0x44"))
+```
+
+
 ### splunk
     
 ```
@@ -84,4 +105,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["675", "4768", "4769", "4771"] result_code IN ["0x9", "0xA", "0xB", "0xF", "0x10", "0x11", "0x13", "0x14", "0x1A", "0x1F", "0x21", "0x22", "0x23", "0x24", "0x26", "0x27", "0x28", "0x29", "0x2C", "0x2D", "0x2E", "0x2F", "0x31", "0x32", "0x3E", "0x3F", "0x40", "0x41", "0x43", "0x44"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*675|.*4768|.*4769|.*4771))(?=.*(?:.*0x9|.*0xA|.*0xB|.*0xF|.*0x10|.*0x11|.*0x13|.*0x14|.*0x1A|.*0x1F|.*0x21|.*0x22|.*0x23|.*0x24|.*0x26|.*0x27|.*0x28|.*0x29|.*0x2C|.*0x2D|.*0x2E|.*0x2F|.*0x31|.*0x32|.*0x3E|.*0x3F|.*0x40|.*0x41|.*0x43|.*0x44)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
index a8e9504..ecb077b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_lsass_dump.md
@@ -47,6 +47,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4656" AND ProcessName:"C\\:\\\\Windows\\\\System32\\\\lsass.exe" AND AccessMask:"0x705" AND ObjectType:"SAM_DOMAIN")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Password-Dumper-Activity-on-LSASS <<EOF\n{\n  "metadata": {\n    "title": "Password Dumper Activity on LSASS",\n    "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "(EventID:\\"4656\\" AND ProcessName:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\" AND AccessMask:\\"0x705\\" AND ObjectType:\\"SAM_DOMAIN\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4656\\" AND ProcessName:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\" AND AccessMask:\\"0x705\\" AND ObjectType:\\"SAM_DOMAIN\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Password Dumper Activity on LSASS\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4656" AND ProcessName:"C\\:\\\\Windows\\\\System32\\\\lsass.exe" AND AccessMask:"0x705" AND ObjectType:"SAM_DOMAIN")
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4656" ProcessName="C:\\\\Windows\\\\System32\\\\lsass.exe" AccessMask="0x705" ObjectType="SAM_DOMAIN")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4656)(?=.*C:\\Windows\\System32\\lsass\\.exe)(?=.*0x705)(?=.*SAM_DOMAIN))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
index 84bd2df..e83d716 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
@@ -3,7 +3,7 @@
 | Description          | Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li></ul>  |
 | Severity Level       | high |
@@ -65,6 +65,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:(*mshta\\ vbscript\\:CreateObject\\(\\"Wscript.Shell\\"\\)* OR *mshta\\ vbscript\\:Execute\\(\\"Execute* OR *mshta\\ vbscript\\:CreateObject\\(\\"Wscript.Shell\\"\\).Run\\(\\"mshta.exe*) OR (Image:("C\\:\\\\Windows\\\\system32\\\\mshta.exe") AND CommandLine.keyword:(*.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MSHTA-Suspicious-Execution-01 <<EOF\n{\n  "metadata": {\n    "title": "MSHTA Suspicious Execution 01",\n    "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1140"\n    ],\n    "query": "(CommandLine.keyword:(*mshta\\\\ vbscript\\\\:CreateObject\\\\(\\\\\\"Wscript.Shell\\\\\\"\\\\)* OR *mshta\\\\ vbscript\\\\:Execute\\\\(\\\\\\"Execute* OR *mshta\\\\ vbscript\\\\:CreateObject\\\\(\\\\\\"Wscript.Shell\\\\\\"\\\\).Run\\\\(\\\\\\"mshta.exe*) OR (Image:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mshta.exe\\") AND CommandLine.keyword:(*.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:(*mshta\\\\ vbscript\\\\:CreateObject\\\\(\\\\\\"Wscript.Shell\\\\\\"\\\\)* OR *mshta\\\\ vbscript\\\\:Execute\\\\(\\\\\\"Execute* OR *mshta\\\\ vbscript\\\\:CreateObject\\\\(\\\\\\"Wscript.Shell\\\\\\"\\\\).Run\\\\(\\\\\\"mshta.exe*) OR (Image:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mshta.exe\\") AND CommandLine.keyword:(*.jpg* OR *.png* OR *.lnk* OR *.xls* OR *.doc* OR *.zip*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MSHTA Suspicious Execution 01\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:(*mshta vbscript\\:CreateObject\\(\\"Wscript.Shell\\"\\)* *mshta vbscript\\:Execute\\(\\"Execute* *mshta vbscript\\:CreateObject\\(\\"Wscript.Shell\\"\\).Run\\(\\"mshta.exe*) OR (Image:("C\\:\\\\Windows\\\\system32\\\\mshta.exe") AND CommandLine.keyword:(*.jpg* *.png* *.lnk* *.xls* *.doc* *.zip*)))
+```
+
+
 ### splunk
     
 ```
@@ -72,4 +93,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine IN ["*mshta vbscript:CreateObject(\\"Wscript.Shell\\")*", "*mshta vbscript:Execute(\\"Execute*", "*mshta vbscript:CreateObject(\\"Wscript.Shell\\").Run(\\"mshta.exe*"] OR (Image IN ["C:\\\\Windows\\\\system32\\\\mshta.exe"] CommandLine IN ["*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*"])))
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*(?:.*(?:.*.*mshta vbscript:CreateObject\\("Wscript\\.Shell"\\).*|.*.*mshta vbscript:Execute\\("Execute.*|.*.*mshta vbscript:CreateObject\\("Wscript\\.Shell"\\)\\.Run\\("mshta\\.exe.*)|.*(?:.*(?=.*(?:.*C:\\Windows\\system32\\mshta\\.exe))(?=.*(?:.*.*\\.jpg.*|.*.*\\.png.*|.*.*\\.lnk.*|.*.*\\.xls.*|.*.*\\.doc.*|.*.*\\.zip.*)))))\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md
index fa64c08..6794051 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_cwd.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious msiexec process starts in an uncommon directory                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -51,6 +51,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\msiexec.exe AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-MsiExec-Directory <<EOF\n{\n  "metadata": {\n    "title": "Suspicious MsiExec Directory",\n    "description": "Detects suspicious msiexec process starts in an uncommon directory",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\msiexec.exe AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\msiexec.exe AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious MsiExec Directory\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\msiexec.exe AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* C\\:\\\\Windows\\\\SysWOW64\\\\* C\\:\\\\Windows\\\\WinSxS\\\\*))))
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\msiexec.exe"  -(Image IN ["C:\\\\Windows\\\\System32\\\\*", "C:\\\\Windows\\\\SysWOW64\\\\*", "C:\\\\Windows\\\\WinSxS\\\\*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\msiexec\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*|.*C:\\Windows\\SysWOW64\\\\.*|.*C:\\Windows\\WinSxS\\\\.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
index ea722fb..78caf0c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msiexec_web_install.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious msiexec process starts with web addreses as parameter                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -47,6 +47,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ msiexec*\\:\\/\\/*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/MsiExec-Web-Install <<EOF\n{\n  "metadata": {\n    "title": "MsiExec Web Install",\n    "description": "Detects suspicious msiexec process starts with web addreses as parameter",\n    "tags": [\n      "attack.defense_evasion"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ msiexec*\\\\:\\\\/\\\\/*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ msiexec*\\\\:\\\\/\\\\/*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'MsiExec Web Install\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* msiexec*\\:\\/\\/*)
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* msiexec*://*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* msiexec.*://.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
index 8c094da..996e75d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msmpeng_crash.md
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(((Source:"Application\\ Error" AND EventID:"1000") OR (Source:"Windows\\ Error\\ Reporting" AND EventID:"1001")) AND Message.keyword:(*MsMpEng.exe* OR *mpengine.dll*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Malware-Protection-Engine-Crash <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Malware Protection Engine Crash",\n    "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1089",\n      "attack.t1211"\n    ],\n    "query": "(((Source:\\"Application\\\\ Error\\" AND EventID:\\"1000\\") OR (Source:\\"Windows\\\\ Error\\\\ Reporting\\" AND EventID:\\"1001\\")) AND Message.keyword:(*MsMpEng.exe* OR *mpengine.dll*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(((Source:\\"Application\\\\ Error\\" AND EventID:\\"1000\\") OR (Source:\\"Windows\\\\ Error\\\\ Reporting\\" AND EventID:\\"1001\\")) AND Message.keyword:(*MsMpEng.exe* OR *mpengine.dll*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Malware Protection Engine Crash\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(((Source:"Application Error" AND EventID:"1000") OR (Source:"Windows Error Reporting" AND EventID:"1001")) AND Message.keyword:(*MsMpEng.exe* *mpengine.dll*))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(((Source="Application Error" event_id="1000") OR (Source="Windows Error Reporting" event_id="1001")) Message IN ["*MsMpEng.exe*", "*mpengine.dll*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?:.*(?:.*(?=.*Application Error)(?=.*1000))|.*(?:.*(?=.*Windows Error Reporting)(?=.*1001)))))(?=.*(?:.*.*MsMpEng\\.exe.*|.*.*mpengine\\.dll.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md
index b419f19..8900c37 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_msoffice.md
@@ -53,6 +53,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND CommandLine.keyword:*http*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-payload-download-via-Office-binaries <<EOF\n{\n  "metadata": {\n    "title": "Malicious payload download via Office binaries",\n    "description": "Downloads payload from remote server",\n    "tags": [\n      "attack.command_and_control",\n      "attack.t1105"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\powerpnt.exe OR *\\\\\\\\winword.exe OR *\\\\\\\\excel.exe) AND CommandLine.keyword:*http*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\powerpnt.exe OR *\\\\\\\\winword.exe OR *\\\\\\\\excel.exe) AND CommandLine.keyword:*http*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Malicious payload download via Office binaries\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\powerpnt.exe *\\\\winword.exe *\\\\excel.exe) AND CommandLine.keyword:*http*)
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\powerpnt.exe", "*\\\\winword.exe", "*\\\\excel.exe"] CommandLine="*http*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\powerpnt\\.exe|.*.*\\winword\\.exe|.*.*\\excel\\.exe))(?=.*.*http.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
index c857a3f..c490d48 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_execution.md
@@ -3,7 +3,7 @@
 | Description          | Detects execution of Net.exe, whether suspicious or benign.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | low |
@@ -60,6 +60,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND CommandLine.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Net.exe-Execution <<EOF\n{\n  "metadata": {\n    "title": "Net.exe Execution",\n    "description": "Detects execution of Net.exe, whether suspicious or benign.",\n    "tags": [\n      "attack.s0039",\n      "attack.lateral_movement",\n      "attack.discovery"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe) AND CommandLine.keyword:(*\\\\ group* OR *\\\\ localgroup* OR *\\\\ user* OR *\\\\ view* OR *\\\\ share OR *\\\\ accounts* OR *\\\\ use* OR *\\\\ stop\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe) AND CommandLine.keyword:(*\\\\ group* OR *\\\\ localgroup* OR *\\\\ user* OR *\\\\ view* OR *\\\\ share OR *\\\\ accounts* OR *\\\\ use* OR *\\\\ stop\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Net.exe Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\net.exe *\\\\net1.exe) AND CommandLine.keyword:(* group* * localgroup* * user* * view* * share * accounts* * use* * stop *))
+```
+
+
 ### splunk
     
 ```
@@ -67,4 +88,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\net.exe", "*\\\\net1.exe"] CommandLine IN ["* group*", "* localgroup*", "* user*", "* view*", "* share", "* accounts*", "* use*", "* stop *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\net\\.exe|.*.*\\net1\\.exe))(?=.*(?:.*.* group.*|.*.* localgroup.*|.*.* user.*|.*.* view.*|.*.* share|.*.* accounts.*|.*.* use.*|.*.* stop .*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
index 4b1b599..5244d1b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_net_recon_activity.md
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4661" AND AccessMask:"0x2d" AND ((ObjectType:"SAM_USER" AND ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-500) OR (ObjectType:"SAM_GROUP" AND ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-512)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Reconnaissance-Activity <<EOF\n{\n  "metadata": {\n    "title": "Reconnaissance Activity",\n    "description": "Detects activity as \\"net user administrator /domain\\" and \\"net group domain admins /domain\\"",\n    "tags": [\n      "attack.discovery",\n      "attack.t1087",\n      "attack.t1069",\n      "attack.s0039"\n    ],\n    "query": "(EventID:\\"4661\\" AND AccessMask:\\"0x2d\\" AND ((ObjectType:\\"SAM_USER\\" AND ObjectName.keyword:S\\\\-1\\\\-5\\\\-21\\\\-*\\\\-500) OR (ObjectType:\\"SAM_GROUP\\" AND ObjectName.keyword:S\\\\-1\\\\-5\\\\-21\\\\-*\\\\-512)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4661\\" AND AccessMask:\\"0x2d\\" AND ((ObjectType:\\"SAM_USER\\" AND ObjectName.keyword:S\\\\-1\\\\-5\\\\-21\\\\-*\\\\-500) OR (ObjectType:\\"SAM_GROUP\\" AND ObjectName.keyword:S\\\\-1\\\\-5\\\\-21\\\\-*\\\\-512)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Reconnaissance Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4661" AND AccessMask:"0x2d" AND ((ObjectType:"SAM_USER" AND ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-500) OR (ObjectType:"SAM_GROUP" AND ObjectName.keyword:S\\-1\\-5\\-21\\-*\\-512)))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4661" AccessMask="0x2d" ((ObjectType="SAM_USER" ObjectName="S-1-5-21-*-500") OR (ObjectType="SAM_GROUP" ObjectName="S-1-5-21-*-512")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4661)(?=.*0x2d)(?=.*(?:.*(?:.*(?:.*(?=.*SAM_USER)(?=.*S-1-5-21-.*-500))|.*(?:.*(?=.*SAM_GROUP)(?=.*S-1-5-21-.*-512))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
index 0c7a9a5..a626c92 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
@@ -3,7 +3,7 @@
 | Description          | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | high |
@@ -45,6 +45,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:*\\\\ntdsutil*
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Invocation-of-Active-Directory-Diagnostic-Tool-ntdsutil.exe <<EOF\n{\n  "metadata": {\n    "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)",\n    "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "CommandLine.keyword:*\\\\\\\\ntdsutil*"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*\\\\\\\\ntdsutil*",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:*\\\\ntdsutil*
+```
+
+
 ### splunk
     
 ```
@@ -52,4 +73,18 @@ CommandLine="*\\\\ntdsutil*"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*\\\\ntdsutil*")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\ntdsutil.*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md
index aeeabc9..5b15aad 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ntlm_auth.md
@@ -49,6 +49,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+(EventID:"8002" AND CallingProcessName.keyword:*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/NTLM-Logon <<EOF\n{\n  "metadata": {\n    "title": "NTLM Logon",\n    "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1075"\n    ],\n    "query": "(EventID:\\"8002\\" AND CallingProcessName.keyword:*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"8002\\" AND CallingProcessName.keyword:*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'NTLM Logon\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"8002" AND CallingProcessName.keyword:*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="8002" CallingProcessName="*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*8002)(?=.*.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md
index 4f209a1..86c997d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_odbcconf.md
@@ -55,6 +55,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\odbcconf.exe AND CommandLine.keyword:(*\\-f* OR *regsvr*)) OR (ParentImage.keyword:*\\\\odbcconf.exe AND Image.keyword:*\\\\rundll32.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Application-Whitelisting-Bypass-via-dll-loaded-by-odbcconf.exe <<EOF\n{\n  "metadata": {\n    "title": "Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe",\n    "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\odbcconf.exe AND CommandLine.keyword:(*\\\\-f* OR *regsvr*)) OR (ParentImage.keyword:*\\\\\\\\odbcconf.exe AND Image.keyword:*\\\\\\\\rundll32.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\odbcconf.exe AND CommandLine.keyword:(*\\\\-f* OR *regsvr*)) OR (ParentImage.keyword:*\\\\\\\\odbcconf.exe AND Image.keyword:*\\\\\\\\rundll32.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\odbcconf.exe AND CommandLine.keyword:(*\\-f* *regsvr*)) OR (ParentImage.keyword:*\\\\odbcconf.exe AND Image.keyword:*\\\\rundll32.exe))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((Image="*\\\\odbcconf.exe" CommandLine IN ["*-f*", "*regsvr*"]) OR (ParentImage="*\\\\odbcconf.exe" Image="*\\\\rundll32.exe")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*.*\\odbcconf\\.exe)(?=.*(?:.*.*-f.*|.*.*regsvr.*)))|.*(?:.*(?=.*.*\\odbcconf\\.exe)(?=.*.*\\rundll32\\.exe))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md
index 48a2f24..6219fc9 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_openwith.md
@@ -50,6 +50,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\OpenWith.exe AND CommandLine.keyword:*\\/c*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/OpenWith.exe-executes-specified-binary <<EOF\n{\n  "metadata": {\n    "title": "OpenWith.exe executes specified binary",\n    "description": "The OpenWith.exe executes other binary",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1218"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\OpenWith.exe AND CommandLine.keyword:*\\\\/c*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\OpenWith.exe AND CommandLine.keyword:*\\\\/c*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'OpenWith.exe executes specified binary\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\OpenWith.exe AND CommandLine.keyword:*\\/c*)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\OpenWith.exe" CommandLine="*/c*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\OpenWith\\.exe)(?=.*.*/c.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
index 9ac435f..57b7c44 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook.md
@@ -3,7 +3,7 @@
 | Description          | Detects EnableUnsafeClientMailRules used for Script Execution from Outlook                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1059: Command-Line Interface](https://attack.mitre.org/techniques/T1059)</li><li>[T1202: Indirect Command Execution](https://attack.mitre.org/techniques/T1202)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1059: Command-Line Interface](../Triggers/T1059.md)</li><li>[T1202: Indirect Command Execution](../Triggers/T1202.md)</li></ul>  |
 | Severity Level       | high |
@@ -51,6 +51,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*EnableUnsafeClientMailRules* OR (ParentImage.keyword:*\\\\outlook.exe AND CommandLine.keyword:\\\\\\\\*\\\\*.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Execution-from-Outlook <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Execution from Outlook",\n    "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook",\n    "tags": [\n      "attack.execution",\n      "attack.t1059",\n      "attack.t1202"\n    ],\n    "query": "(CommandLine.keyword:*EnableUnsafeClientMailRules* OR (ParentImage.keyword:*\\\\\\\\outlook.exe AND CommandLine.keyword:\\\\\\\\\\\\\\\\*\\\\\\\\*.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*EnableUnsafeClientMailRules* OR (ParentImage.keyword:*\\\\\\\\outlook.exe AND CommandLine.keyword:\\\\\\\\\\\\\\\\*\\\\\\\\*.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Execution from Outlook\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*EnableUnsafeClientMailRules* OR (ParentImage.keyword:*\\\\outlook.exe AND CommandLine.keyword:\\\\\\\\*\\\\*.exe))
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (CommandLine="*EnableUnsafeClientMailRules*" OR (ParentImage="*\\\\outlook.exe" CommandLine="\\\\\\\\*\\\\*.exe")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*.*EnableUnsafeClientMailRules.*|.*(?:.*(?=.*.*\\outlook\\.exe)(?=.*\\\\\\\\.*\\\\.*\\.exe))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md
index 83cf701..0e0ed37 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_outlook_temp.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious program execution in Outlook temp folder                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1193: Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1193: Spearphishing Attachment](../Triggers/T1193.md)</li></ul>  |
 | Severity Level       | high |
@@ -47,6 +47,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Image.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Execution-in-Outlook-Temp-Folder <<EOF\n{\n  "metadata": {\n    "title": "Execution in Outlook Temp Folder",\n    "description": "Detects a suspicious program execution in Outlook temp folder",\n    "tags": [\n      "attack.initial_access",\n      "attack.t1193"\n    ],\n    "query": "Image.keyword:*\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\Content.Outlook\\\\\\\\*"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:*\\\\\\\\Temporary\\\\ Internet\\\\ Files\\\\\\\\Content.Outlook\\\\\\\\*",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Execution in Outlook Temp Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ Image="*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*" | table CommandLin
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\Temporary Internet Files\\\\Content.Outlook\\\\*")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\Temporary Internet Files\\Content\\.Outlook\\\\.*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
index a08b647..912682a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ping_hex_ip.md
@@ -3,7 +3,7 @@
 | Description          | Detects a ping command that uses a hex encoded IP address                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1140: Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)</li><li>[T1027: Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1140: Deobfuscate/Decode Files or Information](../Triggers/T1140.md)</li><li>[T1027: Obfuscated Files or Information](../Triggers/T1027.md)</li></ul>  |
 | Severity Level       | high |
@@ -51,6 +51,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Ping-Hex-IP <<EOF\n{\n  "metadata": {\n    "title": "Ping Hex IP",\n    "description": "Detects a ping command that uses a hex encoded IP address",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1140",\n      "attack.t1027"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\ping.exe\\\\ 0x* OR *\\\\\\\\ping\\\\ 0x*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\ping.exe\\\\ 0x* OR *\\\\\\\\ping\\\\ 0x*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Ping Hex IP\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\ping.exe 0x* *\\\\ping 0x*)
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\ping.exe 0x*", "*\\\\ping 0x*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\ping\\.exe 0x.*|.*.*\\ping 0x.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md
index 350c3fd..d7f3f4f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_launch.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious powershell command line parameters used in Empire                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | critical |
@@ -50,6 +50,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Empire-PowerShell-Launch-Parameters <<EOF\n{\n  "metadata": {\n    "title": "Empire PowerShell Launch Parameters",\n    "description": "Detects suspicious powershell command line parameters used in Empire",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ \\\\-NoP\\\\ \\\\-sta\\\\ \\\\-NonI\\\\ \\\\-W\\\\ Hidden\\\\ \\\\-Enc\\\\ * OR *\\\\ \\\\-noP\\\\ \\\\-sta\\\\ \\\\-w\\\\ 1\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-NoP\\\\ \\\\-NonI\\\\ \\\\-W\\\\ Hidden\\\\ \\\\-enc\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ \\\\-NoP\\\\ \\\\-sta\\\\ \\\\-NonI\\\\ \\\\-W\\\\ Hidden\\\\ \\\\-Enc\\\\ * OR *\\\\ \\\\-noP\\\\ \\\\-sta\\\\ \\\\-w\\\\ 1\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-NoP\\\\ \\\\-NonI\\\\ \\\\-W\\\\ Hidden\\\\ \\\\-enc\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Empire PowerShell Launch Parameters\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* \\-NoP \\-sta \\-NonI \\-W Hidden \\-Enc * * \\-noP \\-sta \\-w 1 \\-enc * * \\-NoP \\-NonI \\-W Hidden \\-enc *)
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* -NoP -sta -NonI -W Hidden -Enc *", "* -noP -sta -w 1 -enc *", "* -NoP -NonI -W Hidden -enc *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* -NoP -sta -NonI -W Hidden -Enc .*|.*.* -noP -sta -w 1 -enc .*|.*.* -NoP -NonI -W Hidden -enc .*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md
index 859d2f5..70affd2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_empire_uac_bypass.md
@@ -3,7 +3,7 @@
 | Description          | Detects some Empire PowerShell UAC bypass methods                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1088: Bypass User Account Control](https://attack.mitre.org/techniques/T1088)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1088: Bypass User Account Control](../Triggers/T1088.md)</li></ul>  |
 | Severity Level       | critical |
@@ -54,6 +54,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Empire-PowerShell-UAC-Bypass <<EOF\n{\n  "metadata": {\n    "title": "Empire PowerShell UAC Bypass",\n    "description": "Detects some Empire PowerShell UAC bypass methods",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.privilege_escalation",\n      "attack.t1088",\n      "car.2019-04-001"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ \\\\-NoP\\\\ \\\\-NonI\\\\ \\\\-w\\\\ Hidden\\\\ \\\\-c\\\\ $x\\\\=$\\\\(\\\\(gp\\\\ HKCU\\\\:Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\ Update\\\\).Update\\\\)* OR *\\\\ \\\\-NoP\\\\ \\\\-NonI\\\\ \\\\-c\\\\ $x\\\\=$\\\\(\\\\(gp\\\\ HKCU\\\\:Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\ Update\\\\).Update\\\\);*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ \\\\-NoP\\\\ \\\\-NonI\\\\ \\\\-w\\\\ Hidden\\\\ \\\\-c\\\\ $x\\\\=$\\\\(\\\\(gp\\\\ HKCU\\\\:Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\ Update\\\\).Update\\\\)* OR *\\\\ \\\\-NoP\\\\ \\\\-NonI\\\\ \\\\-c\\\\ $x\\\\=$\\\\(\\\\(gp\\\\ HKCU\\\\:Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\ Update\\\\).Update\\\\);*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Empire PowerShell UAC Bypass\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* \\-NoP \\-NonI \\-w Hidden \\-c $x=$\\(\\(gp HKCU\\:Software\\\\Microsoft\\\\Windows Update\\).Update\\)* * \\-NoP \\-NonI \\-c $x=$\\(\\(gp HKCU\\:Software\\\\Microsoft\\\\Windows Update\\).Update\\);*)
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: critical
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*", "* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* -NoP -NonI -w Hidden -c \\$x=\\$\\(\\(gp HKCU:Software\\\\Microsoft\\\\Windows Update\\)\\.Update\\).*|.*.* -NoP -NonI -c \\$x=\\$\\(\\(gp HKCU:Software\\\\Microsoft\\\\Windows Update\\)\\.Update\\);.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
index db245d9..0ee232f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_enc_cmd.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious powershell process starts with base64 encoded commands                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | high |
@@ -65,6 +65,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enco\\ JAB* OR *\\ \\-encodedcommand\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (CommandLine.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Encoded-PowerShell-Command-Line <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Encoded PowerShell Command Line",\n    "description": "Detects suspicious powershell process starts with base64 encoded commands",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(CommandLine.keyword:(*\\\\ \\\\-e\\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ \\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-enc\\\\ JAB* OR *\\\\ \\\\-enco\\\\ JAB* OR *\\\\ \\\\-encodedcommand\\\\ JAB* OR *\\\\ BA\\\\^J\\\\ e\\\\- OR *\\\\ \\\\-e\\\\ SUVYI* OR *\\\\ \\\\-e\\\\ aWV4I* OR *\\\\ \\\\-e\\\\ SQBFAFgA* OR *\\\\ \\\\-e\\\\ aQBlAHgA* OR *\\\\ \\\\-enc\\\\ SUVYI* OR *\\\\ \\\\-enc\\\\ aWV4I* OR *\\\\ \\\\-enc\\\\ SQBFAFgA* OR *\\\\ \\\\-enc\\\\ aQBlAHgA*) AND (NOT (CommandLine.keyword:*\\\\ \\\\-ExecutionPolicy\\\\ remotesigned\\\\ *)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:(*\\\\ \\\\-e\\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-e\\\\ \\\\ \\\\ \\\\ \\\\ \\\\ JAB* OR *\\\\ \\\\-enc\\\\ JAB* OR *\\\\ \\\\-enco\\\\ JAB* OR *\\\\ \\\\-encodedcommand\\\\ JAB* OR *\\\\ BA\\\\^J\\\\ e\\\\- OR *\\\\ \\\\-e\\\\ SUVYI* OR *\\\\ \\\\-e\\\\ aWV4I* OR *\\\\ \\\\-e\\\\ SQBFAFgA* OR *\\\\ \\\\-e\\\\ aQBlAHgA* OR *\\\\ \\\\-enc\\\\ SUVYI* OR *\\\\ \\\\-enc\\\\ aWV4I* OR *\\\\ \\\\-enc\\\\ SQBFAFgA* OR *\\\\ \\\\-enc\\\\ aQBlAHgA*) AND (NOT (CommandLine.keyword:*\\\\ \\\\-ExecutionPolicy\\\\ remotesigned\\\\ *)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Encoded PowerShell Command Line\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:(* \\-e JAB* * \\-e  JAB* * \\-e   JAB* * \\-e    JAB* * \\-e     JAB* * \\-e      JAB* * \\-enc JAB* * \\-enco JAB* * \\-encodedcommand JAB* * BA\\^J e\\- * \\-e SUVYI* * \\-e aWV4I* * \\-e SQBFAFgA* * \\-e aQBlAHgA* * \\-enc SUVYI* * \\-enc aWV4I* * \\-enc SQBFAFgA* * \\-enc aQBlAHgA*) AND (NOT (CommandLine.keyword:* \\-ExecutionPolicy remotesigned *)))
+```
+
+
 ### splunk
     
 ```
@@ -72,4 +93,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* -e JAB*", "* -e  JAB*", "* -e   JAB*", "* -e    JAB*", "* -e     JAB*", "* -e      JAB*", "* -enc JAB*", "* -enco JAB*", "* -encodedcommand JAB*", "* BA^J e-", "* -e SUVYI*", "* -e aWV4I*", "* -e SQBFAFgA*", "* -e aQBlAHgA*", "* -enc SUVYI*", "* -enc aWV4I*", "* -enc SQBFAFgA*", "* -enc aQBlAHgA*"]  -(CommandLine="* -ExecutionPolicy remotesigned *"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.* -e JAB.*|.*.* -e  JAB.*|.*.* -e   JAB.*|.*.* -e    JAB.*|.*.* -e     JAB.*|.*.* -e      JAB.*|.*.* -enc JAB.*|.*.* -enco JAB.*|.*.* -encodedcommand JAB.*|.*.* BA\\^J e-|.*.* -e SUVYI.*|.*.* -e aWV4I.*|.*.* -e SQBFAFgA.*|.*.* -e aQBlAHgA.*|.*.* -enc SUVYI.*|.*.* -enc aWV4I.*|.*.* -enc SQBFAFgA.*|.*.* -enc aQBlAHgA.*))(?=.*(?!.*(?:.*(?=.*.* -ExecutionPolicy remotesigned .*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
index 52d3c75..4460c13 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
@@ -3,7 +3,7 @@
 | Description          | Detects base64 encoded strings used in hidden malicious PowerShell command lines                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | high |
@@ -96,6 +96,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\powershell.exe AND CommandLine.keyword:*\\ hidden\\ * AND CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Malicious-Base64-encoded-PowerShell-Keywords-in-command-lines <<EOF\n{\n  "metadata": {\n    "title": "Malicious Base64 encoded PowerShell Keywords in command lines",\n    "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\powershell.exe AND CommandLine.keyword:*\\\\ hidden\\\\ * AND CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\powershell.exe AND CommandLine.keyword:*\\\\ hidden\\\\ * AND CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Malicious Base64 encoded PowerShell Keywords in command lines\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\powershell.exe AND CommandLine.keyword:* hidden * AND CommandLine.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* *aXRzYWRtaW4gL3RyYW5zZmVy* *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* *JpdHNhZG1pbiAvdHJhbnNmZX* *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* *Yml0c2FkbWluIC90cmFuc2Zlc* *AGMAaAB1AG4AawBfAHMAaQB6AGUA* *JABjAGgAdQBuAGsAXwBzAGkAegBlA* *JGNodW5rX3Npem* *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* *RjaHVua19zaXpl* *Y2h1bmtfc2l6Z* *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* *lPLkNvbXByZXNzaW9u* *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* *SU8uQ29tcHJlc3Npb2* *Ty5Db21wcmVzc2lvb* *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* *lPLk1lbW9yeVN0cmVhb* *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* *SU8uTWVtb3J5U3RyZWFt* *Ty5NZW1vcnlTdHJlYW* *4ARwBlAHQAQwBoAHUAbgBrA* *5HZXRDaHVua* *AEcAZQB0AEMAaAB1AG4Aaw* *LgBHAGUAdABDAGgAdQBuAGsA* *LkdldENodW5r* *R2V0Q2h1bm* *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* *RIUkVBRF9JTkZPNj* *SFJFQURfSU5GTzY0* *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* *VEhSRUFEX0lORk82N* *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* *cmVhdGVSZW1vdGVUaHJlYW* *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* *NyZWF0ZVJlbW90ZVRocmVhZ* *Q3JlYXRlUmVtb3RlVGhyZWFk* *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* *0AZQBtAG0AbwB2AGUA* *1lbW1vdm* *AGUAbQBtAG8AdgBlA* *bQBlAG0AbQBvAHYAZQ* *bWVtbW92Z* *ZW1tb3Zl*))
+```
+
+
 ### splunk
     
 ```
@@ -103,4 +124,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\powershell.exe" CommandLine="* hidden *" CommandLine IN ["*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", "*aXRzYWRtaW4gL3RyYW5zZmVy*", "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", "*JpdHNhZG1pbiAvdHJhbnNmZX*", "*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", "*Yml0c2FkbWluIC90cmFuc2Zlc*", "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*", "*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*", "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*", "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*", "*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*", "*lPLk1lbW9yeVN0cmVhb*", "*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*", "*AEcAZQB0AEMAaAB1AG4Aaw*", "*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*", "*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*", "*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", "*VEhSRUFEX0lORk82N*", "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", "*cmVhdGVSZW1vdGVUaHJlYW*", "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", "*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*", "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", "*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*", "*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\powershell\\.exe)(?=.*.* hidden .*)(?=.*(?:.*.*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA.*|.*.*aXRzYWRtaW4gL3RyYW5zZmVy.*|.*.*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA.*|.*.*JpdHNhZG1pbiAvdHJhbnNmZX.*|.*.*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg.*|.*.*Yml0c2FkbWluIC90cmFuc2Zlc.*|.*.*AGMAaAB1AG4AawBfAHMAaQB6AGUA.*|.*.*JABjAGgAdQBuAGsAXwBzAGkAegBlA.*|.*.*JGNodW5rX3Npem.*|.*.*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ.*|.*.*RjaHVua19zaXpl.*|.*.*Y2h1bmtfc2l6Z.*|.*.*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A.*|.*.*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg.*|.*.*lPLkNvbXByZXNzaW9u.*|.*.*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA.*|.*.*SU8uQ29tcHJlc3Npb2.*|.*.*Ty5Db21wcmVzc2lvb.*|.*.*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ.*|.*.*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA.*|.*.*lPLk1lbW9yeVN0cmVhb.*|.*.*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A.*|.*.*SU8uTWVtb3J5U3RyZWFt.*|.*.*Ty5NZW1vcnlTdHJlYW.*|.*.*4ARwBlAHQAQwBoAHUAbgBrA.*|.*.*5HZXRDaHVua.*|.*.*AEcAZQB0AEMAaAB1AG4Aaw.*|.*.*LgBHAGUAdABDAGgAdQBuAGsA.*|.*.*LkdldENodW5r.*|.*.*R2V0Q2h1bm.*|.*.*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A.*|.*.*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA.*|.*.*RIUkVBRF9JTkZPNj.*|.*.*SFJFQURfSU5GTzY0.*|.*.*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA.*|.*.*VEhSRUFEX0lORk82N.*|.*.*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA.*|.*.*cmVhdGVSZW1vdGVUaHJlYW.*|.*.*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA.*|.*.*NyZWF0ZVJlbW90ZVRocmVhZ.*|.*.*Q3JlYXRlUmVtb3RlVGhyZWFk.*|.*.*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA.*|.*.*0AZQBtAG0AbwB2AGUA.*|.*.*1lbW1vdm.*|.*.*AGUAbQBtAG8AdgBlA.*|.*.*bQBlAG0AbQBvAHYAZQ.*|.*.*bWVtbW92Z.*|.*.*ZW1tb3Zl.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md
index d5db330..0cf3faf 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_parent_combo.md
@@ -55,6 +55,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND Image.keyword:(*\\\\powershell.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\Health\\ Service\\ State\\\\*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PowerShell-Invocation-based-on-Parent-Process <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PowerShell Invocation based on Parent Process",\n    "description": "Detects suspicious powershell invocations from interpreters or unusual programs",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "((ParentImage.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND Image.keyword:(*\\\\\\\\powershell.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\\\\\Health\\\\ Service\\\\ State\\\\\\\\*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND Image.keyword:(*\\\\\\\\powershell.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\\\\\Health\\\\ Service\\\\ State\\\\\\\\*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PowerShell Invocation based on Parent Process\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:(*\\\\wscript.exe *\\\\cscript.exe) AND Image.keyword:(*\\\\powershell.exe)) AND (NOT (CurrentDirectory.keyword:*\\\\Health Service State\\\\*)))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (ParentImage IN ["*\\\\wscript.exe", "*\\\\cscript.exe"] Image IN ["*\\\\powershell.exe"])  -(CurrentDirectory="*\\\\Health Service State\\\\*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*(?:.*.*\\wscript\\.exe|.*.*\\cscript\\.exe))(?=.*(?:.*.*\\powershell\\.exe))))(?=.*(?!.*(?:.*(?=.*.*\\Health Service State\\\\.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
index 529ccf2..408465a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_procdump.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | medium |
@@ -58,6 +58,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((CommandLine.keyword:(*\\ \\-ma\\ *) AND CommandLine.keyword:(*\\ lsass*)) OR CommandLine.keyword:(*\\ \\-ma\\ ls*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Use-of-Procdump <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Use of Procdump",\n    "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036",\n      "attack.credential_access",\n      "attack.t1003",\n      "car.2013-05-009"\n    ],\n    "query": "((CommandLine.keyword:(*\\\\ \\\\-ma\\\\ *) AND CommandLine.keyword:(*\\\\ lsass*)) OR CommandLine.keyword:(*\\\\ \\\\-ma\\\\ ls*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((CommandLine.keyword:(*\\\\ \\\\-ma\\\\ *) AND CommandLine.keyword:(*\\\\ lsass*)) OR CommandLine.keyword:(*\\\\ \\\\-ma\\\\ ls*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Use of Procdump\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((CommandLine.keyword:(* \\-ma *) AND CommandLine.keyword:(* lsass*)) OR CommandLine.keyword:(* \\-ma ls*))
+```
+
+
 ### splunk
     
 ```
@@ -65,4 +86,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((event_id="1" CommandLine IN ["* -ma *"] CommandLine IN ["* lsass*"]) OR CommandLine IN ["* -ma ls*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*(?:.*.* -ma .*))(?=.*(?:.*.* lsass.*)))|.*(?:.*.* -ma ls.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
index a359804..b13e0fa 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_process_creations.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious process starts on Windows systems based on keywords                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -102,6 +102,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(vssadmin.exe\\ delete\\ shadows* OR vssadmin\\ delete\\ shadows* OR vssadmin\\ create\\ shadow\\ \\/for\\=C\\:* OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit* OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM* OR reg\\ SAVE\\ HKLM\\\\SYSTEM\\ * OR reg\\ SAVE\\ HKLM\\\\SAM\\ * OR *\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\"Domain\\ Admins\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wmic\\ shadowcopy\\ delete\\ * OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Process-Creation <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Process Creation",\n    "description": "Detects suspicious process starts on Windows systems based on keywords",\n    "tags": [\n      "car.2013-07-001"\n    ],\n    "query": "CommandLine.keyword:(vssadmin.exe\\\\ delete\\\\ shadows* OR vssadmin\\\\ delete\\\\ shadows* OR vssadmin\\\\ create\\\\ shadow\\\\ \\\\/for\\\\=C\\\\:* OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\windows\\\\\\\\ntds\\\\\\\\ntds.dit* OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\config\\\\\\\\SAM* OR reg\\\\ SAVE\\\\ HKLM\\\\\\\\SYSTEM\\\\ * OR reg\\\\ SAVE\\\\ HKLM\\\\\\\\SAM\\\\ * OR *\\\\ sekurlsa\\\\:* OR net\\\\ localgroup\\\\ administrators\\\\ *\\\\ \\\\/add OR net\\\\ group\\\\ \\\\\\"Domain\\\\ Admins\\\\\\"\\\\ *\\\\ \\\\/ADD\\\\ \\\\/DOMAIN OR certutil.exe\\\\ *\\\\-urlcache*\\\\ http* OR certutil.exe\\\\ *\\\\-urlcache*\\\\ ftp* OR netsh\\\\ advfirewall\\\\ firewall\\\\ *\\\\\\\\AppData\\\\\\\\* OR attrib\\\\ \\\\+S\\\\ \\\\+H\\\\ \\\\+R\\\\ *\\\\\\\\AppData\\\\\\\\* OR schtasks*\\\\ \\\\/create\\\\ *\\\\\\\\AppData\\\\\\\\* OR schtasks*\\\\ \\\\/sc\\\\ minute* OR *\\\\\\\\Regasm.exe\\\\ *\\\\\\\\AppData\\\\\\\\* OR *\\\\\\\\Regasm\\\\ *\\\\\\\\AppData\\\\\\\\* OR *\\\\\\\\bitsadmin*\\\\ \\\\/transfer* OR *\\\\\\\\certutil.exe\\\\ *\\\\ \\\\-decode\\\\ * OR *\\\\\\\\certutil.exe\\\\ *\\\\ \\\\-decodehex\\\\ * OR *\\\\\\\\certutil.exe\\\\ \\\\-ping\\\\ * OR icacls\\\\ *\\\\ \\\\/grant\\\\ Everyone\\\\:F\\\\ \\\\/T\\\\ \\\\/C\\\\ \\\\/Q OR *\\\\ wmic\\\\ shadowcopy\\\\ delete\\\\ * OR *\\\\ wbadmin.exe\\\\ delete\\\\ catalog\\\\ \\\\-quiet* OR *\\\\\\\\wscript.exe\\\\ *.jse OR *\\\\\\\\wscript.exe\\\\ *.js OR *\\\\\\\\wscript.exe\\\\ *.vba OR *\\\\\\\\wscript.exe\\\\ *.vbe OR *\\\\\\\\cscript.exe\\\\ *.jse OR *\\\\\\\\cscript.exe\\\\ *.js OR *\\\\\\\\cscript.exe\\\\ *.vba OR *\\\\\\\\cscript.exe\\\\ *.vbe OR *\\\\\\\\fodhelper.exe OR *waitfor*\\\\/s* OR *waitfor*\\\\/si\\\\ persist* OR *remote*\\\\/s* OR *remote*\\\\/c* OR *remote*\\\\/q* OR *AddInProcess* OR *\\\\ \\\\/stext\\\\ * OR *\\\\ \\\\/scomma\\\\ * OR *\\\\ \\\\/stab\\\\ * OR *\\\\ \\\\/stabular\\\\ * OR *\\\\ \\\\/shtml\\\\ * OR *\\\\ \\\\/sverhtml\\\\ * OR *\\\\ \\\\/sxml\\\\ *)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(vssadmin.exe\\\\ delete\\\\ shadows* OR vssadmin\\\\ delete\\\\ shadows* OR vssadmin\\\\ create\\\\ shadow\\\\ \\\\/for\\\\=C\\\\:* OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\windows\\\\\\\\ntds\\\\\\\\ntds.dit* OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\config\\\\\\\\SAM* OR reg\\\\ SAVE\\\\ HKLM\\\\\\\\SYSTEM\\\\ * OR reg\\\\ SAVE\\\\ HKLM\\\\\\\\SAM\\\\ * OR *\\\\ sekurlsa\\\\:* OR net\\\\ localgroup\\\\ administrators\\\\ *\\\\ \\\\/add OR net\\\\ group\\\\ \\\\\\"Domain\\\\ Admins\\\\\\"\\\\ *\\\\ \\\\/ADD\\\\ \\\\/DOMAIN OR certutil.exe\\\\ *\\\\-urlcache*\\\\ http* OR certutil.exe\\\\ *\\\\-urlcache*\\\\ ftp* OR netsh\\\\ advfirewall\\\\ firewall\\\\ *\\\\\\\\AppData\\\\\\\\* OR attrib\\\\ \\\\+S\\\\ \\\\+H\\\\ \\\\+R\\\\ *\\\\\\\\AppData\\\\\\\\* OR schtasks*\\\\ \\\\/create\\\\ *\\\\\\\\AppData\\\\\\\\* OR schtasks*\\\\ \\\\/sc\\\\ minute* OR *\\\\\\\\Regasm.exe\\\\ *\\\\\\\\AppData\\\\\\\\* OR *\\\\\\\\Regasm\\\\ *\\\\\\\\AppData\\\\\\\\* OR *\\\\\\\\bitsadmin*\\\\ \\\\/transfer* OR *\\\\\\\\certutil.exe\\\\ *\\\\ \\\\-decode\\\\ * OR *\\\\\\\\certutil.exe\\\\ *\\\\ \\\\-decodehex\\\\ * OR *\\\\\\\\certutil.exe\\\\ \\\\-ping\\\\ * OR icacls\\\\ *\\\\ \\\\/grant\\\\ Everyone\\\\:F\\\\ \\\\/T\\\\ \\\\/C\\\\ \\\\/Q OR *\\\\ wmic\\\\ shadowcopy\\\\ delete\\\\ * OR *\\\\ wbadmin.exe\\\\ delete\\\\ catalog\\\\ \\\\-quiet* OR *\\\\\\\\wscript.exe\\\\ *.jse OR *\\\\\\\\wscript.exe\\\\ *.js OR *\\\\\\\\wscript.exe\\\\ *.vba OR *\\\\\\\\wscript.exe\\\\ *.vbe OR *\\\\\\\\cscript.exe\\\\ *.jse OR *\\\\\\\\cscript.exe\\\\ *.js OR *\\\\\\\\cscript.exe\\\\ *.vba OR *\\\\\\\\cscript.exe\\\\ *.vbe OR *\\\\\\\\fodhelper.exe OR *waitfor*\\\\/s* OR *waitfor*\\\\/si\\\\ persist* OR *remote*\\\\/s* OR *remote*\\\\/c* OR *remote*\\\\/q* OR *AddInProcess* OR *\\\\ \\\\/stext\\\\ * OR *\\\\ \\\\/scomma\\\\ * OR *\\\\ \\\\/stab\\\\ * OR *\\\\ \\\\/stabular\\\\ * OR *\\\\ \\\\/shtml\\\\ * OR *\\\\ \\\\/sverhtml\\\\ * OR *\\\\ \\\\/sxml\\\\ *)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Process Creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(vssadmin.exe delete shadows* vssadmin delete shadows* vssadmin create shadow \\/for=C\\:* copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit* copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM* reg SAVE HKLM\\\\SYSTEM * reg SAVE HKLM\\\\SAM * * sekurlsa\\:* net localgroup administrators * \\/add net group \\"Domain Admins\\" * \\/ADD \\/DOMAIN certutil.exe *\\-urlcache* http* certutil.exe *\\-urlcache* ftp* netsh advfirewall firewall *\\\\AppData\\\\* attrib \\+S \\+H \\+R *\\\\AppData\\\\* schtasks* \\/create *\\\\AppData\\\\* schtasks* \\/sc minute* *\\\\Regasm.exe *\\\\AppData\\\\* *\\\\Regasm *\\\\AppData\\\\* *\\\\bitsadmin* \\/transfer* *\\\\certutil.exe * \\-decode * *\\\\certutil.exe * \\-decodehex * *\\\\certutil.exe \\-ping * icacls * \\/grant Everyone\\:F \\/T \\/C \\/Q * wmic shadowcopy delete * * wbadmin.exe delete catalog \\-quiet* *\\\\wscript.exe *.jse *\\\\wscript.exe *.js *\\\\wscript.exe *.vba *\\\\wscript.exe *.vbe *\\\\cscript.exe *.jse *\\\\cscript.exe *.js *\\\\cscript.exe *.vba *\\\\cscript.exe *.vbe *\\\\fodhelper.exe *waitfor*\\/s* *waitfor*\\/si persist* *remote*\\/s* *remote*\\/c* *remote*\\/q* *AddInProcess* * \\/stext * * \\/scomma * * \\/stab * * \\/stabular * * \\/shtml * * \\/sverhtml * * \\/sxml *)
+```
+
+
 ### splunk
     
 ```
@@ -109,4 +130,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["vssadmin.exe delete shadows*", "vssadmin delete shadows*", "vssadmin create shadow /for=C:*", "copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit*", "copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM*", "reg SAVE HKLM\\\\SYSTEM *", "reg SAVE HKLM\\\\SAM *", "* sekurlsa:*", "net localgroup administrators * /add", "net group \\"Domain Admins\\" * /ADD /DOMAIN", "certutil.exe *-urlcache* http*", "certutil.exe *-urlcache* ftp*", "netsh advfirewall firewall *\\\\AppData\\\\*", "attrib +S +H +R *\\\\AppData\\\\*", "schtasks* /create *\\\\AppData\\\\*", "schtasks* /sc minute*", "*\\\\Regasm.exe *\\\\AppData\\\\*", "*\\\\Regasm *\\\\AppData\\\\*", "*\\\\bitsadmin* /transfer*", "*\\\\certutil.exe * -decode *", "*\\\\certutil.exe * -decodehex *", "*\\\\certutil.exe -ping *", "icacls * /grant Everyone:F /T /C /Q", "* wmic shadowcopy delete *", "* wbadmin.exe delete catalog -quiet*", "*\\\\wscript.exe *.jse", "*\\\\wscript.exe *.js", "*\\\\wscript.exe *.vba", "*\\\\wscript.exe *.vbe", "*\\\\cscript.exe *.jse", "*\\\\cscript.exe *.js", "*\\\\cscript.exe *.vba", "*\\\\cscript.exe *.vbe", "*\\\\fodhelper.exe", "*waitfor*/s*", "*waitfor*/si persist*", "*remote*/s*", "*remote*/c*", "*remote*/q*", "*AddInProcess*", "* /stext *", "* /scomma *", "* /stab *", "* /stabular *", "* /shtml *", "* /sverhtml *", "* /sxml *"])
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*vssadmin\\.exe delete shadows.*|.*vssadmin delete shadows.*|.*vssadmin create shadow /for=C:.*|.*copy \\\\?\\GLOBALROOT\\Device\\\\.*\\windows\\ntds\\ntds\\.dit.*|.*copy \\\\?\\GLOBALROOT\\Device\\\\.*\\config\\SAM.*|.*reg SAVE HKLM\\SYSTEM .*|.*reg SAVE HKLM\\SAM .*|.*.* sekurlsa:.*|.*net localgroup administrators .* /add|.*net group "Domain Admins" .* /ADD /DOMAIN|.*certutil\\.exe .*-urlcache.* http.*|.*certutil\\.exe .*-urlcache.* ftp.*|.*netsh advfirewall firewall .*\\AppData\\\\.*|.*attrib \\+S \\+H \\+R .*\\AppData\\\\.*|.*schtasks.* /create .*\\AppData\\\\.*|.*schtasks.* /sc minute.*|.*.*\\Regasm\\.exe .*\\AppData\\\\.*|.*.*\\Regasm .*\\AppData\\\\.*|.*.*\\bitsadmin.* /transfer.*|.*.*\\certutil\\.exe .* -decode .*|.*.*\\certutil\\.exe .* -decodehex .*|.*.*\\certutil\\.exe -ping .*|.*icacls .* /grant Everyone:F /T /C /Q|.*.* wmic shadowcopy delete .*|.*.* wbadmin\\.exe delete catalog -quiet.*|.*.*\\wscript\\.exe .*\\.jse|.*.*\\wscript\\.exe .*\\.js|.*.*\\wscript\\.exe .*\\.vba|.*.*\\wscript\\.exe .*\\.vbe|.*.*\\cscript\\.exe .*\\.jse|.*.*\\cscript\\.exe .*\\.js|.*.*\\cscript\\.exe .*\\.vba|.*.*\\cscript\\.exe .*\\.vbe|.*.*\\fodhelper\\.exe|.*.*waitfor.*/s.*|.*.*waitfor.*/si persist.*|.*.*remote.*/s.*|.*.*remote.*/c.*|.*.*remote.*/q.*|.*.*AddInProcess.*|.*.* /stext .*|.*.* /scomma .*|.*.* /stab .*|.*.* /stabular .*|.*.* /shtml .*|.*.* /sverhtml .*|.*.* /sxml .*)\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
index 039571a..f614088 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_prog_location_process_starts.md
@@ -3,7 +3,7 @@
 | Description          | Detects programs running in suspicious files system locations                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -53,6 +53,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Image.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Program-Location-Process-Starts <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Program Location Process Starts",\n    "description": "Detects programs running in suspicious files system locations",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "Image.keyword:(*\\\\\\\\$Recycle.bin OR *\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Perflogs\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\IME\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\addins\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:(*\\\\\\\\$Recycle.bin OR *\\\\\\\\Users\\\\\\\\Public\\\\\\\\* OR C\\\\:\\\\\\\\Perflogs\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\IME\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\addins\\\\\\\\* OR *\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Program Location Process Starts\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:(*\\\\$Recycle.bin *\\\\Users\\\\Public\\\\* C\\:\\\\Perflogs\\\\* *\\\\Windows\\\\Fonts\\\\* *\\\\Windows\\\\IME\\\\* *\\\\Windows\\\\addins\\\\* *\\\\Windows\\\\debug\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\$Recycle.bin", "*\\\\Users\\\\Public\\\\*", "C:\\\\Perflogs\\\\*", "*\\\\Windows\\\\Fonts\\\\*", "*\\\\Windows\\\\IME\\\\*", "*\\\\Windows\\\\addins\\\\*", "*\\\\Windows\\\\debug\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\\\$Recycle\\.bin|.*.*\\Users\\Public\\\\.*|.*C:\\Perflogs\\\\.*|.*.*\\Windows\\Fonts\\\\.*|.*.*\\Windows\\IME\\\\.*|.*.*\\Windows\\addins\\\\.*|.*.*\\Windows\\debug\\\\.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
index 76472dc..b305ce6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_appdata.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul>  |
 | Severity Level       | medium |
@@ -49,6 +49,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PowerShell-Script-Run-in-AppData <<EOF\n{\n  "metadata": {\n    "title": "PowerShell Script Run in AppData",\n    "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder",\n    "tags": [\n      "attack.execution",\n      "attack.t1086"\n    ],\n    "query": "CommandLine.keyword:(*\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PowerShell Script Run in AppData\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(* \\/c powershell*\\\\AppData\\\\Local\\\\* * \\/c powershell*\\\\AppData\\\\Roaming\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["* /c powershell*\\\\AppData\\\\Local\\\\*", "* /c powershell*\\\\AppData\\\\Roaming\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.* /c powershell.*\\AppData\\Local\\\\.*|.*.* /c powershell.*\\AppData\\Roaming\\\\.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
index 31adb09..ee3082d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_psexec.md
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:(*\\-stdin OR *\\-stdout OR *\\-stderr)) AND (NOT (EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-PsExec-execution <<EOF\n{\n  "metadata": {\n    "title": "Suspicious PsExec execution",\n    "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.t1077"\n    ],\n    "query": "((EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName.keyword:(*\\\\-stdin OR *\\\\-stdout OR *\\\\-stderr)) AND (NOT (EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName.keyword:(*\\\\-stdin OR *\\\\-stdout OR *\\\\-stderr)) AND (NOT (EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious PsExec execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:(*\\-stdin *\\-stdout *\\-stderr)) AND (NOT (EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName.keyword:PSEXESVC*)))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id="5145" ShareName="\\\\*\\\\IPC$" RelativeTargetName IN ["*-stdin", "*-stdout", "*-stderr"])  -(event_id="5145" ShareName="\\\\*\\\\IPC$" RelativeTargetName="PSEXESVC*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)(?=.*(?:.*.*-stdin|.*.*-stdout|.*.*-stderr))))(?=.*(?!.*(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)(?=.*PSEXESVC.*)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md
index a6cb96f..dcf2e53 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_psr_capture_screenshots.md
@@ -49,6 +49,27 @@ falsepositives:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\Psr.exe AND CommandLine.keyword:*\\/start*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/psr.exe-capture-screenshots <<EOF\n{\n  "metadata": {\n    "title": "psr.exe capture screenshots",\n    "description": "The psr.exe captures desktop screenshots and saves them on the local machine",\n    "tags": [\n      "attack.persistence",\n      "attack.t1218"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\Psr.exe AND CommandLine.keyword:*\\\\/start*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\Psr.exe AND CommandLine.keyword:*\\\\/start*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'psr.exe capture screenshots\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\Psr.exe AND CommandLine.keyword:*\\/start*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ falsepositives:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\Psr.exe" CommandLine="*/start*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\Psr\\.exe)(?=.*.*/start.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
index 05c456e..3d1fff5 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_raccess_sensitive_fext.md
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:("5145") AND RelativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\\\ntds.dit OR *\\\\groups.xml OR *.rdp))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-access-to-sensitive-file-extensions <<EOF\n{\n  "metadata": {\n    "title": "Suspicious access to sensitive file extensions",\n    "description": "Detects known sensitive file extensions",\n    "tags": [\n      "attack.collection"\n    ],\n    "query": "(EventID:(\\"5145\\") AND RelativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\\\\\\\ntds.dit OR *\\\\\\\\groups.xml OR *.rdp))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"5145\\") AND RelativeTargetName.keyword:(*.pst OR *.ost OR *.msg OR *.nst OR *.oab OR *.edb OR *.nsf OR *.bak OR *.dmp OR *.kirbi OR *\\\\\\\\ntds.dit OR *\\\\\\\\groups.xml OR *.rdp))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious access to sensitive file extensions\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("5145") AND RelativeTargetName.keyword:(*.pst *.ost *.msg *.nst *.oab *.edb *.nsf *.bak *.dmp *.kirbi *\\\\ntds.dit *\\\\groups.xml *.rdp))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["5145"] RelativeTargetName IN ["*.pst", "*.ost", "*.msg", "*.nst", "*.oab", "*.edb", "*.nsf", "*.bak", "*.dmp", "*.kirbi", "*\\\\ntds.dit", "*\\\\groups.xml", "*.rdp"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*5145))(?=.*(?:.*.*\\.pst|.*.*\\.ost|.*.*\\.msg|.*.*\\.nst|.*.*\\.oab|.*.*\\.edb|.*.*\\.nsf|.*.*\\.bak|.*.*\\.dmp|.*.*\\.kirbi|.*.*\\ntds\\.dit|.*.*\\groups\\.xml|.*.*\\.rdp)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
index 8585035..999a973 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rasdial_activity.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious process related to rasdial.exe                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul>  |
 | Severity Level       | medium |
@@ -47,6 +47,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine:("rasdial")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-RASdial-Activity <<EOF\n{\n  "metadata": {\n    "title": "Suspicious RASdial Activity",\n    "description": "Detects suspicious process related to rasdial.exe",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1064"\n    ],\n    "query": "CommandLine:(\\"rasdial\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine:(\\"rasdial\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious RASdial Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine:("rasdial")
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["rasdial"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*rasdial)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
index b1c6ed9..817f705 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rc4_kerberos.md
@@ -50,6 +50,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((EventID:"4769" AND TicketOptions:"0x40810000" AND TicketEncryptionType:"0x17") AND (NOT (ServiceName.keyword:$*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Kerberos-RC4-Ticket-Encryption <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Kerberos RC4 Ticket Encryption",\n    "description": "Detects service ticket requests using RC4 encryption type",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1208"\n    ],\n    "query": "((EventID:\\"4769\\" AND TicketOptions:\\"0x40810000\\" AND TicketEncryptionType:\\"0x17\\") AND (NOT (ServiceName.keyword:$*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"4769\\" AND TicketOptions:\\"0x40810000\\" AND TicketEncryptionType:\\"0x17\\") AND (NOT (ServiceName.keyword:$*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Kerberos RC4 Ticket Encryption\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"4769" AND TicketOptions:"0x40810000" AND TicketEncryptionType:"0x17") AND (NOT (ServiceName.keyword:$*)))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id="4769" ticket_options="0x40810000" TicketEncryptionType="0x17")  -(service="$*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*4769)(?=.*0x40810000)(?=.*0x17)))(?=.*(?!.*(?:.*(?:.*(?=.*\\$.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
index e9fc1f1..69a22eb 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_recon_activity.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious command line activity on Windows systems                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li></ul>  |
 | Severity Level       | medium |
@@ -52,6 +52,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine:("net\\ group\\ \\"domain\\ admins\\"\\ \\/domain" OR "net\\ localgroup\\ administrators")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Reconnaissance-Activity <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Reconnaissance Activity",\n    "description": "Detects suspicious command line activity on Windows systems",\n    "tags": [\n      "attack.discovery",\n      "attack.t1087"\n    ],\n    "query": "CommandLine:(\\"net\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain\\" OR \\"net\\\\ localgroup\\\\ administrators\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine:(\\"net\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain\\" OR \\"net\\\\ localgroup\\\\ administrators\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Reconnaissance Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine:("net group \\"domain admins\\" \\/domain" "net localgroup administrators")
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["net group \\"domain admins\\" /domain", "net localgroup administrators"])
+```
+
+
+### grep
+    
+```
+grep -P \'^(?:.*net group "domain admins" /domain|.*net localgroup administrators)\'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
index c92e27d..8059102 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_regsvr32_anomalies.md
@@ -3,7 +3,7 @@
 | Description          | Detects various anomalies in relation to regsvr32.exe                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1117: Regsvr32](https://attack.mitre.org/techniques/T1117)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1117: Regsvr32](../Triggers/T1117.md)</li></ul>  |
 | Severity Level       | high |
@@ -66,6 +66,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\regsvr32.exe AND CommandLine.keyword:*\\\\Temp\\\\*) OR (Image.keyword:*\\\\regsvr32.exe AND ParentImage.keyword:*\\\\powershell.exe) OR (Image.keyword:*\\\\regsvr32.exe AND CommandLine.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (Image.keyword:*\\\\wscript.exe AND ParentImage.keyword:*\\\\regsvr32.exe) OR (Image.keyword:*\\\\EXCEL.EXE AND CommandLine.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Regsvr32-Anomaly <<EOF\n{\n  "metadata": {\n    "title": "Regsvr32 Anomaly",\n    "description": "Detects various anomalies in relation to regsvr32.exe",\n    "tags": [\n      "attack.t1117",\n      "attack.defense_evasion",\n      "attack.execution",\n      "car.2019-04-002",\n      "car.2019-04-003"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\regsvr32.exe AND CommandLine.keyword:*\\\\\\\\Temp\\\\\\\\*) OR (Image.keyword:*\\\\\\\\regsvr32.exe AND ParentImage.keyword:*\\\\\\\\powershell.exe) OR (Image.keyword:*\\\\\\\\regsvr32.exe AND CommandLine.keyword:(*\\\\/i\\\\:http*\\\\ scrobj.dll OR *\\\\/i\\\\:ftp*\\\\ scrobj.dll)) OR (Image.keyword:*\\\\\\\\wscript.exe AND ParentImage.keyword:*\\\\\\\\regsvr32.exe) OR (Image.keyword:*\\\\\\\\EXCEL.EXE AND CommandLine.keyword:*..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\regsvr32.exe AND CommandLine.keyword:*\\\\\\\\Temp\\\\\\\\*) OR (Image.keyword:*\\\\\\\\regsvr32.exe AND ParentImage.keyword:*\\\\\\\\powershell.exe) OR (Image.keyword:*\\\\\\\\regsvr32.exe AND CommandLine.keyword:(*\\\\/i\\\\:http*\\\\ scrobj.dll OR *\\\\/i\\\\:ftp*\\\\ scrobj.dll)) OR (Image.keyword:*\\\\\\\\wscript.exe AND ParentImage.keyword:*\\\\\\\\regsvr32.exe) OR (Image.keyword:*\\\\\\\\EXCEL.EXE AND CommandLine.keyword:*..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Regsvr32 Anomaly\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\regsvr32.exe AND CommandLine.keyword:*\\\\Temp\\\\*) OR (Image.keyword:*\\\\regsvr32.exe AND ParentImage.keyword:*\\\\powershell.exe) OR (Image.keyword:*\\\\regsvr32.exe AND CommandLine.keyword:(*\\/i\\:http* scrobj.dll *\\/i\\:ftp* scrobj.dll)) OR (Image.keyword:*\\\\wscript.exe AND ParentImage.keyword:*\\\\regsvr32.exe) OR (Image.keyword:*\\\\EXCEL.EXE AND CommandLine.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe *))
+```
+
+
 ### splunk
     
 ```
@@ -73,4 +94,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((Image="*\\\\regsvr32.exe" CommandLine="*\\\\Temp\\\\*") OR (Image="*\\\\regsvr32.exe" ParentImage="*\\\\powershell.exe") OR (Image="*\\\\regsvr32.exe" CommandLine IN ["*/i:http* scrobj.dll", "*/i:ftp* scrobj.dll"]) OR (Image="*\\\\wscript.exe" ParentImage="*\\\\regsvr32.exe") OR (Image="*\\\\EXCEL.EXE" CommandLine="*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe *")))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*.*\\regsvr32\\.exe)(?=.*.*\\Temp\\\\.*))|.*(?:.*(?=.*.*\\regsvr32\\.exe)(?=.*.*\\powershell\\.exe))|.*(?:.*(?=.*.*\\regsvr32\\.exe)(?=.*(?:.*.*/i:http.* scrobj\\.dll|.*.*/i:ftp.* scrobj\\.dll)))|.*(?:.*(?=.*.*\\wscript\\.exe)(?=.*.*\\regsvr32\\.exe))|.*(?:.*(?=.*.*\\EXCEL\\.EXE)(?=.*.*\\.\\.\\\\.\\.\\\\.\\.\\Windows\\System32\\regsvr32\\.exe .*))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md
index fe17f75..ca74612 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rottenpotato.md
@@ -51,6 +51,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4624" AND LogonType:"3" AND TargetUserName:"ANONYMOUS_LOGON" AND WorkstationName:"\\-" AND SourceNetworkAddress:"127.0.0.1")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/RottenPotato-Like-Attack-Pattern <<EOF\n{\n  "metadata": {\n    "title": "RottenPotato Like Attack Pattern",\n    "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.credential_access",\n      "attack.t1171"\n    ],\n    "query": "(EventID:\\"4624\\" AND LogonType:\\"3\\" AND TargetUserName:\\"ANONYMOUS_LOGON\\" AND WorkstationName:\\"\\\\-\\" AND SourceNetworkAddress:\\"127.0.0.1\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4624\\" AND LogonType:\\"3\\" AND TargetUserName:\\"ANONYMOUS_LOGON\\" AND WorkstationName:\\"\\\\-\\" AND SourceNetworkAddress:\\"127.0.0.1\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'RottenPotato Like Attack Pattern\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4624" AND LogonType:"3" AND TargetUserName:"ANONYMOUS_LOGON" AND WorkstationName:"\\-" AND SourceNetworkAddress:"127.0.0.1")
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4624" logon_type="3" TargetUserName="ANONYMOUS_LOGON" WorkstationName="-" SourceNetworkAddress="127.0.0.1")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4624)(?=.*3)(?=.*ANONYMOUS_LOGON)(?=.*-)(?=.*127\\.0\\.0\\.1))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
index 034f289..e817ff3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious process run from unusual locations                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | medium |
@@ -57,6 +57,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+Image.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Process-Start-Locations <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Process Start Locations",\n    "description": "Detects suspicious process run from unusual locations",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036",\n      "car.2013-05-002"\n    ],\n    "query": "Image.keyword:(*\\\\:\\\\\\\\RECYCLER\\\\\\\\* OR *\\\\:\\\\\\\\SystemVolumeInformation\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\fonts\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\help\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\drivers\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\cursors\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\tasks\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:(*\\\\:\\\\\\\\RECYCLER\\\\\\\\* OR *\\\\:\\\\\\\\SystemVolumeInformation\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\fonts\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\help\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\drivers\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\cursors\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\tasks\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Process Start Locations\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:(*\\:\\\\RECYCLER\\\\* *\\:\\\\SystemVolumeInformation\\\\* C\\:\\\\Windows\\\\Tasks\\\\* C\\:\\\\Windows\\\\debug\\\\* C\\:\\\\Windows\\\\fonts\\\\* C\\:\\\\Windows\\\\help\\\\* C\\:\\\\Windows\\\\drivers\\\\* C\\:\\\\Windows\\\\addins\\\\* C\\:\\\\Windows\\\\cursors\\\\* C\\:\\\\Windows\\\\system32\\\\tasks\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -64,4 +85,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*:\\\\RECYCLER\\\\*", "*:\\\\SystemVolumeInformation\\\\*", "C:\\\\Windows\\\\Tasks\\\\*", "C:\\\\Windows\\\\debug\\\\*", "C:\\\\Windows\\\\fonts\\\\*", "C:\\\\Windows\\\\help\\\\*", "C:\\\\Windows\\\\drivers\\\\*", "C:\\\\Windows\\\\addins\\\\*", "C:\\\\Windows\\\\cursors\\\\*", "C:\\\\Windows\\\\system32\\\\tasks\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*:\\RECYCLER\\\\.*|.*.*:\\SystemVolumeInformation\\\\.*|.*C:\\\\Windows\\\\Tasks\\\\.*|.*C:\\\\Windows\\\\debug\\\\.*|.*C:\\\\Windows\\\\fonts\\\\.*|.*C:\\\\Windows\\\\help\\\\.*|.*C:\\\\Windows\\\\drivers\\\\.*|.*C:\\\\Windows\\\\addins\\\\.*|.*C:\\\\Windows\\\\cursors\\\\.*|.*C:\\\\Windows\\\\system32\\tasks\\\\.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
index 1f4cfc7..20d5172 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious process related to rundll32 based on arguments                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul>  |
 | Severity Level       | medium |
@@ -61,6 +61,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Rundll32-Activity <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Rundll32 Activity",\n    "description": "Detects suspicious process related to rundll32 based on arguments",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1085"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURL\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\\\\\rundll32.exe\\\\ javascript\\\\:* OR *\\\\ url.dll,*OpenURL\\\\ * OR *\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\ javascript\\\\:* OR *.RegisterXLL*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURL\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\\\\\rundll32.exe*\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\\\\\rundll32.exe\\\\ javascript\\\\:* OR *\\\\ url.dll,*OpenURL\\\\ * OR *\\\\ url.dll,*OpenURLA\\\\ * OR *\\\\ url.dll,*FileProtocolHandler\\\\ * OR *\\\\ zipfldr.dll,*RouteTheCall\\\\ * OR *\\\\ Shell32.dll,*Control_RunDLL\\\\ * OR *\\\\ javascript\\\\:* OR *.RegisterXLL*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Rundll32 Activity\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\rundll32.exe* url.dll,*OpenURL * *\\\\rundll32.exe* url.dll,*OpenURLA * *\\\\rundll32.exe* url.dll,*FileProtocolHandler * *\\\\rundll32.exe* zipfldr.dll,*RouteTheCall * *\\\\rundll32.exe* Shell32.dll,*Control_RunDLL * *\\\\rundll32.exe javascript\\:* * url.dll,*OpenURL * * url.dll,*OpenURLA * * url.dll,*FileProtocolHandler * * zipfldr.dll,*RouteTheCall * * Shell32.dll,*Control_RunDLL * * javascript\\:* *.RegisterXLL*)
+```
+
+
 ### splunk
     
 ```
@@ -68,4 +89,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\rundll32.exe* url.dll,*OpenURL *", "*\\\\rundll32.exe* url.dll,*OpenURLA *", "*\\\\rundll32.exe* url.dll,*FileProtocolHandler *", "*\\\\rundll32.exe* zipfldr.dll,*RouteTheCall *", "*\\\\rundll32.exe* Shell32.dll,*Control_RunDLL *", "*\\\\rundll32.exe javascript:*", "* url.dll,*OpenURL *", "* url.dll,*OpenURLA *", "* url.dll,*FileProtocolHandler *", "* zipfldr.dll,*RouteTheCall *", "* Shell32.dll,*Control_RunDLL *", "* javascript:*", "*.RegisterXLL*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURL .*|.*.*\\rundll32\\.exe.* url\\.dll,.*OpenURLA .*|.*.*\\rundll32\\.exe.* url\\.dll,.*FileProtocolHandler .*|.*.*\\rundll32\\.exe.* zipfldr\\.dll,.*RouteTheCall .*|.*.*\\rundll32\\.exe.* Shell32\\.dll,.*Control_RunDLL .*|.*.*\\rundll32\\.exe javascript:.*|.*.* url\\.dll,.*OpenURL .*|.*.* url\\.dll,.*OpenURLA .*|.*.* url\\.dll,.*FileProtocolHandler .*|.*.* zipfldr\\.dll,.*RouteTheCall .*|.*.* Shell32\\.dll,.*Control_RunDLL .*|.*.* javascript:.*|.*.*\\.RegisterXLL.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md
index d227df8..bea5c0a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_by_ordinal.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious calls of DLLs in rundll32.dll exports by ordinal                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1085: Rundll32](https://attack.mitre.org/techniques/T1085)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1085: Rundll32](../Triggers/T1085.md)</li></ul>  |
 | Severity Level       | high |
@@ -50,6 +50,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:*\\\\rundll32.exe\\ *,#*
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Call-by-Ordinal <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Call by Ordinal",\n    "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1085"\n    ],\n    "query": "CommandLine.keyword:*\\\\\\\\rundll32.exe\\\\ *,#*"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*\\\\\\\\rundll32.exe\\\\ *,#*",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Call by Ordinal\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:*\\\\rundll32.exe *,#*
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ CommandLine="*\\\\rundll32.exe *,#*"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*\\\\rundll32.exe *,#*")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\rundll32\\.exe .*,#.*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md
index 02c0725..3405e17 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sam_dump.md
@@ -47,6 +47,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"16" AND Message.keyword:(*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/SAM-Dump-to-AppData <<EOF\n{\n  "metadata": {\n    "title": "SAM Dump to AppData",\n    "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "(EventID:\\"16\\" AND Message.keyword:(*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SAM\\\\-*.dmp\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"16\\" AND Message.keyword:(*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SAM\\\\-*.dmp\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'SAM Dump to AppData\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"16" AND Message.keyword:(*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp *))
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="16" Message IN ["*\\\\AppData\\\\Local\\\\Temp\\\\SAM-*.dmp *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*16)(?=.*(?:.*.*\\AppData\\Local\\Temp\\SAM-.*\\.dmp .*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md
index 33797ae..b559543 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_samr_pwset.md
@@ -47,6 +47,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Possible-Remote-Password-Change-Through-SAMR <<EOF\n{\n  "metadata": {\n    "title": "Possible Remote Password Change Through SAMR",\n    "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). \\"Audit User Account Management\\" in \\"Advanced Audit Policy Configuration\\" has to be enabled in your local security policy / GPO to see this events.",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1212"\n    ],\n    "query": "(EventID:\\"4738\\" AND (NOT (NOT _exists_:PasswordLastSet)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "15s"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4738\\" AND (NOT (NOT _exists_:PasswordLastSet)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Possible Remote Password Change Through SAMR\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+
+```
+
+
 ### splunk
     
 ```
@@ -54,4 +75,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4738)(?=.*(?!.*(?:.*(?=.*(?!PasswordLastSet))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md
index cdedfb0..3f0b117 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_schtask_creation.md
@@ -54,6 +54,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\schtasks.exe AND CommandLine.keyword:*\\ \\/create\\ *) AND (NOT (User:"NT\\ AUTHORITY\\\\SYSTEM")))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Scheduled-Task-Creation <<EOF\n{\n  "metadata": {\n    "title": "Scheduled Task Creation",\n    "description": "Detects the creation of scheduled tasks in user session",\n    "tags": [\n      "attack.execution",\n      "attack.persistence",\n      "attack.privilege_escalation",\n      "attack.t1053",\n      "attack.s0111",\n      "car.2013-08-001"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\schtasks.exe AND CommandLine.keyword:*\\\\ \\\\/create\\\\ *) AND (NOT (User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\schtasks.exe AND CommandLine.keyword:*\\\\ \\\\/create\\\\ *) AND (NOT (User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Scheduled Task Creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\schtasks.exe AND CommandLine.keyword:* \\/create *) AND (NOT (User:"NT AUTHORITY\\\\SYSTEM")))
+```
+
+
 ### splunk
     
 ```
@@ -61,4 +82,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\schtasks.exe" CommandLine="* /create *")  -(User="NT AUTHORITY\\\\SYSTEM"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\schtasks\\.exe)(?=.*.* /create .*)))(?=.*(?!.*(?:.*(?=.*NT AUTHORITY\\SYSTEM)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
index 5dec461..716b26d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_script_execution.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious file execution by wscript and cscript                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul>  |
 | Severity Level       | medium |
@@ -53,6 +53,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND CommandLine.keyword:(*.jse OR *.vbe OR *.js OR *.vba))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WSF/JSE/JS/VBA/VBE-File-Execution <<EOF\n{\n  "metadata": {\n    "title": "WSF/JSE/JS/VBA/VBE File Execution",\n    "description": "Detects suspicious file execution by wscript and cscript",\n    "tags": [\n      "attack.execution",\n      "attack.t1064"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND CommandLine.keyword:(*.jse OR *.vbe OR *.js OR *.vba))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe) AND CommandLine.keyword:(*.jse OR *.vbe OR *.js OR *.vba))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WSF/JSE/JS/VBA/VBE File Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\wscript.exe *\\\\cscript.exe) AND CommandLine.keyword:(*.jse *.vbe *.js *.vba))
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\wscript.exe", "*\\\\cscript.exe"] CommandLine IN ["*.jse", "*.vbe", "*.js", "*.vba"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\wscript\\.exe|.*.*\\cscript\\.exe))(?=.*(?:.*.*\\.jse|.*.*\\.vbe|.*.*\\.js|.*.*\\.vba)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md
index bd84556..ccb8e79 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sdelete.md
@@ -3,7 +3,7 @@
 | Description          | Detects renaming of file while deletion with SDelete tool                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1107: File Deletion](https://attack.mitre.org/techniques/T1107)</li><li>[T1066: Indicator Removal from Tools](https://attack.mitre.org/techniques/T1066)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0062_4663_attempt_was_made_to_access_an_object](../Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md)</li><li>[DN_0058_4656_handle_to_an_object_was_requested](../Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md)</li><li>[DN_0060_4658_handle_to_an_object_was_closed](../Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0060_4658_handle_to_an_object_was_closed](../Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md)</li><li>[DN_0062_4663_attempt_was_made_to_access_an_object](../Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md)</li><li>[DN_0058_4656_handle_to_an_object_was_requested](../Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1107: File Deletion](../Triggers/T1107.md)</li><li>[T1066: Indicator Removal from Tools](../Triggers/T1066.md)</li></ul>  |
 | Severity Level       | medium |
@@ -55,6 +55,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(EventID:("4656" OR "4663" OR "4658") AND ObjectName.keyword:(*.AAA OR *.ZZZ))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Secure-Deletion-with-SDelete <<EOF\n{\n  "metadata": {\n    "title": "Secure Deletion with SDelete",\n    "description": "Detects renaming of file while deletion with SDelete tool",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1107",\n      "attack.t1066",\n      "attack.s0195"\n    ],\n    "query": "(EventID:(\\"4656\\" OR \\"4663\\" OR \\"4658\\") AND ObjectName.keyword:(*.AAA OR *.ZZZ))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:(\\"4656\\" OR \\"4663\\" OR \\"4658\\") AND ObjectName.keyword:(*.AAA OR *.ZZZ))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Secure Deletion with SDelete\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:("4656" "4663" "4658") AND ObjectName.keyword:(*.AAA *.ZZZ))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["4656", "4663", "4658"] ObjectName IN ["*.AAA", "*.ZZZ"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*4656|.*4663|.*4658))(?=.*(?:.*.*\\.AAA|.*.*\\.ZZZ)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
index 4cb9b30..fe66263 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
@@ -3,7 +3,7 @@
 | Description          | Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0038_1102_the_audit_log_was_cleared](../Data_Needed/DN_0038_1102_the_audit_log_was_cleared.md)</li><li>[DN_0050_1102_audit_log_was_cleared](../Data_Needed/DN_0050_1102_audit_log_was_cleared.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0050_1102_audit_log_was_cleared](../Data_Needed/DN_0050_1102_audit_log_was_cleared.md)</li><li>[DN_0038_1102_the_audit_log_was_cleared](../Data_Needed/DN_0038_1102_the_audit_log_was_cleared.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul>  |
 | Severity Level       | high |
@@ -46,6 +46,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+EventID:("517" OR "1102")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Security-Eventlog-Cleared <<EOF\n{\n  "metadata": {\n    "title": "Security Eventlog Cleared",\n    "description": "Some threat groups tend to delete the local \'Security\' Eventlog using certain utitlities",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1070",\n      "car.2016-04-002"\n    ],\n    "query": "EventID:(\\"517\\" OR \\"1102\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:(\\"517\\" OR \\"1102\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Security Eventlog Cleared\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+EventID:("517" "1102")
+```
+
+
 ### splunk
     
 ```
@@ -53,4 +74,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id IN ["517", "1102"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*517|.*1102)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md
index 9f1bf56..c4cb6d8 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_squirrel_lolbin.md
@@ -3,7 +3,7 @@
 | Description          | Detects Possible Squirrel Packages Manager as Lolbin                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | high |
@@ -83,6 +83,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\update.exe) AND CommandLine.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\xe2\x80\x93createShortcut*.exe*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Squirrel-Lolbin <<EOF\n{\n  "metadata": {\n    "title": "Squirrel Lolbin",\n    "description": "Detects Possible Squirrel Packages Manager as Lolbin",\n    "tags": [\n      "attack.execution"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\update.exe) AND CommandLine.keyword:(*\\\\-\\\\-processStart*.exe* OR *\\\\-\\\\-processStartAndWait*.exe* OR *\\u2013createShortcut*.exe*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\update.exe) AND CommandLine.keyword:(*\\\\-\\\\-processStart*.exe* OR *\\\\-\\\\-processStartAndWait*.exe* OR *\\u2013createShortcut*.exe*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Squirrel Lolbin\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\update.exe) AND CommandLine.keyword:(*\\-\\-processStart*.exe* *\\-\\-processStartAndWait*.exe* *\xe2\x80\x93createShortcut*.exe*))
+```
+
+
 ### splunk
     
 ```
@@ -90,4 +111,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\update.exe"] CommandLine IN ["*--processStart*.exe*", "*--processStartAndWait*.exe*", "*\xe2\x80\x93createShortcut*.exe*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\update\\.exe))(?=.*(?:.*.*--processStart.*\\.exe.*|.*.*--processStartAndWait.*\\.exe.*|.*.*\xe2\x80\x93createShortcut.*\\.exe.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
index 3359660..6e1bcbc 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious svchost process start                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\svchost.exe AND (NOT (ParentImage.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe)))) AND (NOT (NOT _exists_:ParentImage)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Svchost-Process <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Svchost Process",\n    "description": "Detects a suspicious svchost process start",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\svchost.exe AND (NOT (ParentImage.keyword:(*\\\\\\\\services.exe OR *\\\\\\\\MsMpEng.exe OR *\\\\\\\\Mrt.exe OR *\\\\\\\\rpcnet.exe)))) AND (NOT (NOT _exists_:ParentImage)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\svchost.exe AND (NOT (ParentImage.keyword:(*\\\\\\\\services.exe OR *\\\\\\\\MsMpEng.exe OR *\\\\\\\\Mrt.exe OR *\\\\\\\\rpcnet.exe)))) AND (NOT (NOT _exists_:ParentImage)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Svchost Process\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\svchost.exe AND (NOT (ParentImage.keyword:(*\\\\services.exe *\\\\MsMpEng.exe *\\\\Mrt.exe *\\\\rpcnet.exe)))) AND (NOT (NOT _exists_:ParentImage)))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\svchost.exe"  -(ParentImage IN ["*\\\\services.exe", "*\\\\MsMpEng.exe", "*\\\\Mrt.exe", "*\\\\rpcnet.exe"]))  -(-ParentImage=*))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\svchost\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\services\\.exe|.*.*\\MsMpEng\\.exe|.*.*\\Mrt\\.exe|.*.*\\rpcnet\\.exe)))))))(?=.*(?!.*(?:.*(?=.*(?!ParentImage))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
index 88dec3b..80f7a6b 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysprep_appdata.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -49,6 +49,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Sysprep-on-AppData-Folder <<EOF\n{\n  "metadata": {\n    "title": "Sysprep on AppData Folder",\n    "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)",\n    "tags": [\n      "attack.execution"\n    ],\n    "query": "CommandLine.keyword:(*\\\\\\\\sysprep.exe\\\\ *\\\\\\\\AppData\\\\\\\\* OR sysprep.exe\\\\ *\\\\\\\\AppData\\\\\\\\*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(*\\\\\\\\sysprep.exe\\\\ *\\\\\\\\AppData\\\\\\\\* OR sysprep.exe\\\\ *\\\\\\\\AppData\\\\\\\\*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Sysprep on AppData Folder\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(*\\\\sysprep.exe *\\\\AppData\\\\* sysprep.exe *\\\\AppData\\\\*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["*\\\\sysprep.exe *\\\\AppData\\\\*", "sysprep.exe *\\\\AppData\\\\*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*.*\\sysprep\\.exe .*\\AppData\\\\.*|.*sysprep\\.exe .*\\AppData\\\\.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
index 64d39bb..e2eb8f1 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
@@ -3,7 +3,7 @@
 | Description          | Detects Access to Domain Group Policies stored in SYSVOL                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | medium |
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-SYSVOL-Domain-Group-Policy-Access <<EOF\n{\n  "metadata": {\n    "title": "Suspicious SYSVOL Domain Group Policy Access",\n    "description": "Detects Access to Domain Group Policies stored in SYSVOL",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "CommandLine.keyword:*\\\\\\\\SYSVOL\\\\\\\\*\\\\\\\\policies\\\\\\\\*"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*\\\\\\\\SYSVOL\\\\\\\\*\\\\\\\\policies\\\\\\\\*",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious SYSVOL Domain Group Policy Access\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ CommandLine="*\\\\SYSVOL\\\\*\\\\policies\\\\*"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*\\\\SYSVOL\\\\*\\\\policies\\\\*")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\SYSVOL\\\\.*\\policies\\\\.*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md
index b136627..ae23642 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_localsystem.md
@@ -45,6 +45,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(User:"NT\\ AUTHORITY\\\\SYSTEM" AND Image.keyword:*\\\\taskmgr.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Taskmgr-as-LOCAL_SYSTEM <<EOF\n{\n  "metadata": {\n    "title": "Taskmgr as LOCAL_SYSTEM",\n    "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\" AND Image.keyword:*\\\\\\\\taskmgr.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\" AND Image.keyword:*\\\\\\\\taskmgr.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Taskmgr as LOCAL_SYSTEM\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(User:"NT AUTHORITY\\\\SYSTEM" AND Image.keyword:*\\\\taskmgr.exe)
+```
+
+
 ### splunk
     
 ```
@@ -52,4 +73,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" User="NT AUTHORITY\\\\SYSTEM" Image="*\\\\taskmgr.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*NT AUTHORITY\\SYSTEM)(?=.*.*\\taskmgr\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
index 2c27e54..6f1e042 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_taskmgr_parent.md
@@ -3,7 +3,7 @@
 | Description          | Detects the creation of a process from Windows task manager                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | low |
@@ -53,6 +53,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:*\\\\taskmgr.exe AND (NOT (Image.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Taskmgr-as-Parent <<EOF\n{\n  "metadata": {\n    "title": "Taskmgr as Parent",\n    "description": "Detects the creation of a process from Windows task manager",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(ParentImage.keyword:*\\\\\\\\taskmgr.exe AND (NOT (Image.keyword:(*\\\\\\\\resmon.exe OR *\\\\\\\\mmc.exe OR *\\\\\\\\taskmgr.exe))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:*\\\\\\\\taskmgr.exe AND (NOT (Image.keyword:(*\\\\\\\\resmon.exe OR *\\\\\\\\mmc.exe OR *\\\\\\\\taskmgr.exe))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Taskmgr as Parent\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:*\\\\taskmgr.exe AND (NOT (Image.keyword:(*\\\\resmon.exe *\\\\mmc.exe *\\\\taskmgr.exe))))
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\taskmgr.exe"  -(Image IN ["*\\\\resmon.exe", "*\\\\mmc.exe", "*\\\\taskmgr.exe"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\taskmgr\\.exe)(?=.*(?!.*(?:.*(?=.*(?:.*.*\\resmon\\.exe|.*.*\\mmc\\.exe|.*.*\\taskmgr\\.exe))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md
index 480880d..ca624dd 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_time_modification.md
@@ -55,6 +55,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(EventID:"4616" AND (NOT (((ProcessName:"C\\:\\\\Program\\ Files\\\\VMware\\\\VMware\\ Tools\\\\vmtoolsd.exe" OR ProcessName:"C\\:\\\\Windows\\\\System32\\\\VBoxService.exe") OR (ProcessName:"C\\:\\\\Windows\\\\System32\\\\svchost.exe" AND SubjectUserSid:"S\\-1\\-5\\-19")))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Unauthorized-System-Time-Modification <<EOF\n{\n  "metadata": {\n    "title": "Unauthorized System Time Modification",\n    "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1099"\n    ],\n    "query": "(EventID:\\"4616\\" AND (NOT (((ProcessName:\\"C\\\\:\\\\\\\\Program\\\\ Files\\\\\\\\VMware\\\\\\\\VMware\\\\ Tools\\\\\\\\vmtoolsd.exe\\" OR ProcessName:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VBoxService.exe\\") OR (ProcessName:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\" AND SubjectUserSid:\\"S\\\\-1\\\\-5\\\\-19\\")))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"4616\\" AND (NOT (((ProcessName:\\"C\\\\:\\\\\\\\Program\\\\ Files\\\\\\\\VMware\\\\\\\\VMware\\\\ Tools\\\\\\\\vmtoolsd.exe\\" OR ProcessName:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VBoxService.exe\\") OR (ProcessName:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\" AND SubjectUserSid:\\"S\\\\-1\\\\-5\\\\-19\\")))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Unauthorized System Time Modification\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"4616" AND (NOT (((ProcessName:"C\\:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe" OR ProcessName:"C\\:\\\\Windows\\\\System32\\\\VBoxService.exe") OR (ProcessName:"C\\:\\\\Windows\\\\System32\\\\svchost.exe" AND SubjectUserSid:"S\\-1\\-5\\-19")))))
+```
+
+
 ### splunk
     
 ```
@@ -62,4 +83,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4616"  -((event_source="Microsoft-Windows-Security-Auditing" ((ProcessName="C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe" OR ProcessName="C:\\\\Windows\\\\System32\\\\VBoxService.exe") OR (ProcessName="C:\\\\Windows\\\\System32\\\\svchost.exe" SubjectUserSid="S-1-5-19")))))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*4616)(?=.*(?!.*(?:.*(?:.*(?:.*(?:.*(?:.*C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd\\.exe|.*C:\\Windows\\System32\\VBoxService\\.exe))|.*(?:.*(?=.*C:\\Windows\\System32\\svchost\\.exe)(?=.*S-1-5-19))))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md
index 2fbcb88..25722fe 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_localsystem.md
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(User:"NT\\ AUTHORITY\\\\SYSTEM" AND Image.keyword:*\\\\tscon.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-TSCON-Start <<EOF\n{\n  "metadata": {\n    "title": "Suspicious TSCON Start",\n    "description": "Detects a tscon.exe start as LOCAL SYSTEM",\n    "tags": [\n      "attack.command_and_control",\n      "attack.t1219"\n    ],\n    "query": "(User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\" AND Image.keyword:*\\\\\\\\tscon.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\" AND Image.keyword:*\\\\\\\\tscon.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious TSCON Start\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(User:"NT AUTHORITY\\\\SYSTEM" AND Image.keyword:*\\\\tscon.exe)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" User="NT AUTHORITY\\\\SYSTEM" Image="*\\\\tscon.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*NT AUTHORITY\\SYSTEM)(?=.*.*\\tscon\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
index a78f5b4..a6f5c1d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_tscon_rdp_redirect.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious RDP session redirect using tscon.exe                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1076: Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1076: Remote Desktop Protocol](../Triggers/T1076.md)</li></ul>  |
 | Severity Level       | high |
@@ -50,6 +50,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-RDP-Redirect-Using-TSCON <<EOF\n{\n  "metadata": {\n    "title": "Suspicious RDP Redirect Using TSCON",\n    "description": "Detects a suspicious RDP session redirect using tscon.exe",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.privilege_escalation",\n      "attack.t1076",\n      "car.2013-07-002"\n    ],\n    "query": "CommandLine.keyword:*\\\\ \\\\/dest\\\\:rdp\\\\-tcp\\\\:*"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:*\\\\ \\\\/dest\\\\:rdp\\\\-tcp\\\\:*",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious RDP Redirect Using TSCON\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:* \\/dest\\:rdp\\-tcp\\:*
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ CommandLine="* /dest:rdp-tcp:*"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="* /dest:rdp-tcp:*")
+```
+
+
+### grep
+    
+```
+grep -P '^.* /dest:rdp-tcp:.*'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md
index 482c75b..e3ae05d 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_userinit_child.md
@@ -3,7 +3,7 @@
 | Description          | Detects a suspicious child process of userinit                                                                                                                                           |
 | ATT&amp;CK Tactic    |   This Detection Rule wasn't mapped to ATT&amp;CK Tactic yet  |
 | ATT&amp;CK Technique |  This Detection Rule wasn't mapped to ATT&amp;CK Technique yet  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              |  There is no documented Trigger for this Detection Rule yet  |
 | Severity Level       | medium |
@@ -50,6 +50,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((ParentImage.keyword:*\\\\userinit.exe AND (NOT (CommandLine.keyword:*\\\\netlogon\\\\*))) AND (NOT (Image.keyword:*\\\\explorer.exe)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-Userinit-Child-Process <<EOF\n{\n  "metadata": {\n    "title": "Suspicious Userinit Child Process",\n    "description": "Detects a suspicious child process of userinit",\n    "tags": "",\n    "query": "((ParentImage.keyword:*\\\\\\\\userinit.exe AND (NOT (CommandLine.keyword:*\\\\\\\\netlogon\\\\\\\\*))) AND (NOT (Image.keyword:*\\\\\\\\explorer.exe)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((ParentImage.keyword:*\\\\\\\\userinit.exe AND (NOT (CommandLine.keyword:*\\\\\\\\netlogon\\\\\\\\*))) AND (NOT (Image.keyword:*\\\\\\\\explorer.exe)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious Userinit Child Process\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((ParentImage.keyword:*\\\\userinit.exe AND (NOT (CommandLine.keyword:*\\\\netlogon\\\\*))) AND (NOT (Image.keyword:*\\\\explorer.exe)))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (ParentImage="*\\\\userinit.exe"  -(CommandLine="*\\\\netlogon\\\\*"))  -(Image="*\\\\explorer.exe"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*.*\\userinit\\.exe)(?=.*(?!.*(?:.*(?=.*.*\\\\netlogon\\\\.*))))))(?=.*(?!.*(?:.*(?=.*.*\\explorer\\.exe)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_vssadmin_ntds_activity.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_vssadmin_ntds_activity.md
index da67195..498e197 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_vssadmin_ntds_activity.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_vssadmin_ntds_activity.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1003: Credential Dumping](https://attack.mitre.org/techniques/T1003)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1003: Credential Dumping](../Triggers/T1003.md)</li></ul>  |
 | Severity Level       | high |
@@ -59,6 +59,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+CommandLine.keyword:(vssadmin.exe\\ Delete\\ Shadows OR vssadmin\\ create\\ shadow\\ \\/for\\=C\\: OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit OR copy\\ \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM OR vssadmin\\ delete\\ shadows\\ \\/for\\=C\\: OR reg\\ SAVE\\ HKLM\\\\SYSTEM\\  OR esentutl.exe\\ \\/y\\ \\/vss\\ *\\\\ntds.dit*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Activity-Related-to-NTDS.dit-Domain-Hash-Retrieval <<EOF\n{\n  "metadata": {\n    "title": "Activity Related to NTDS.dit Domain Hash Retrieval",\n    "description": "Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely",\n    "tags": [\n      "attack.credential_access",\n      "attack.t1003"\n    ],\n    "query": "CommandLine.keyword:(vssadmin.exe\\\\ Delete\\\\ Shadows OR vssadmin\\\\ create\\\\ shadow\\\\ \\\\/for\\\\=C\\\\: OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\windows\\\\\\\\ntds\\\\\\\\ntds.dit OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\config\\\\\\\\SAM OR vssadmin\\\\ delete\\\\ shadows\\\\ \\\\/for\\\\=C\\\\: OR reg\\\\ SAVE\\\\ HKLM\\\\\\\\SYSTEM\\\\  OR esentutl.exe\\\\ \\\\/y\\\\ \\\\/vss\\\\ *\\\\\\\\ntds.dit*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "CommandLine.keyword:(vssadmin.exe\\\\ Delete\\\\ Shadows OR vssadmin\\\\ create\\\\ shadow\\\\ \\\\/for\\\\=C\\\\: OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\windows\\\\\\\\ntds\\\\\\\\ntds.dit OR copy\\\\ \\\\\\\\?\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\*\\\\\\\\config\\\\\\\\SAM OR vssadmin\\\\ delete\\\\ shadows\\\\ \\\\/for\\\\=C\\\\: OR reg\\\\ SAVE\\\\ HKLM\\\\\\\\SYSTEM\\\\  OR esentutl.exe\\\\ \\\\/y\\\\ \\\\/vss\\\\ *\\\\\\\\ntds.dit*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Activity Related to NTDS.dit Domain Hash Retrieval\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+CommandLine.keyword:(vssadmin.exe Delete Shadows vssadmin create shadow \\/for=C\\: copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM vssadmin delete shadows \\/for=C\\: reg SAVE HKLM\\\\SYSTEM  esentutl.exe \\/y \\/vss *\\\\ntds.dit*)
+```
+
+
 ### splunk
     
 ```
@@ -66,4 +87,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine IN ["vssadmin.exe Delete Shadows", "vssadmin create shadow /for=C:", "copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\windows\\\\ntds\\\\ntds.dit", "copy \\\\?\\\\GLOBALROOT\\\\Device\\\\*\\\\config\\\\SAM", "vssadmin delete shadows /for=C:", "reg SAVE HKLM\\\\SYSTEM ", "esentutl.exe /y /vss *\\\\ntds.dit*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*vssadmin\\.exe Delete Shadows|.*vssadmin create shadow /for=C:|.*copy \\\\?\\GLOBALROOT\\Device\\\\.*\\windows\\ntds\\ntds\\.dit|.*copy \\\\?\\GLOBALROOT\\Device\\\\.*\\config\\SAM|.*vssadmin delete shadows /for=C:|.*reg SAVE HKLM\\SYSTEM |.*esentutl\\.exe /y /vss .*\\ntds\\.dit.*)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
index 7a23310..0842dbe 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_whoami.md
@@ -51,6 +51,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\whoami.exe OR OriginalFileName:"whoami.exe")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Whoami-Execution <<EOF\n{\n  "metadata": {\n    "title": "Whoami Execution",\n    "description": "Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators",\n    "tags": [\n      "attack.discovery",\n      "attack.t1033",\n      "car.2016-03-001"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\whoami.exe OR OriginalFileName:\\"whoami.exe\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\whoami.exe OR OriginalFileName:\\"whoami.exe\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Whoami Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\whoami.exe OR OriginalFileName:"whoami.exe")
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" (Image="*\\\\whoami.exe" OR OriginalFileName="whoami.exe"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*.*\\whoami\\.exe|.*whoami\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md b/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
index 911cb64..6a9eb71 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_susp_wmi_execution.md
@@ -3,7 +3,7 @@
 | Description          | Detects WMI executing suspicious commands                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
 | Severity Level       | medium |
@@ -58,6 +58,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\wmic.exe) AND CommandLine.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Suspicious-WMI-execution <<EOF\n{\n  "metadata": {\n    "title": "Suspicious WMI execution",\n    "description": "Detects WMI executing suspicious commands",\n    "tags": [\n      "attack.execution",\n      "attack.t1047",\n      "car.2016-03-002"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\wmic.exe) AND CommandLine.keyword:(*\\\\/NODE\\\\:*process\\\\ call\\\\ create\\\\ * OR *\\\\ path\\\\ AntiVirusProduct\\\\ get\\\\ * OR *\\\\ path\\\\ FirewallProduct\\\\ get\\\\ * OR *\\\\ shadowcopy\\\\ delete\\\\ *))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\wmic.exe) AND CommandLine.keyword:(*\\\\/NODE\\\\:*process\\\\ call\\\\ create\\\\ * OR *\\\\ path\\\\ AntiVirusProduct\\\\ get\\\\ * OR *\\\\ path\\\\ FirewallProduct\\\\ get\\\\ * OR *\\\\ shadowcopy\\\\ delete\\\\ *))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Suspicious WMI execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\wmic.exe) AND CommandLine.keyword:(*\\/NODE\\:*process call create * * path AntiVirusProduct get * * path FirewallProduct get * * shadowcopy delete *))
+```
+
+
 ### splunk
     
 ```
@@ -65,4 +86,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\wmic.exe"] CommandLine IN ["*/NODE:*process call create *", "* path AntiVirusProduct get *", "* path FirewallProduct get *", "* shadowcopy delete *"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\wmic\\.exe))(?=.*(?:.*.*/NODE:.*process call create .*|.*.* path AntiVirusProduct get .*|.*.* path FirewallProduct get .*|.*.* shadowcopy delete .*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md b/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md
index 48443a2..8f3bb35 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_svcctl_remote_service.md
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:"svcctl" AND Accesses.keyword:*WriteData*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Remote-Service-Activity-Detected-via-SVCCTL-named-pipe <<EOF\n{\n  "metadata": {\n    "title": "Remote Service Activity Detected via SVCCTL named pipe",\n    "description": "Detects remote remote service activity via remote access to the svcctl named pipe",\n    "tags": [\n      "attack.lateral_movement",\n      "attack.persistence"\n    ],\n    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:\\"svcctl\\" AND Accesses.keyword:*WriteData*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(EventID:\\"5145\\" AND ShareName.keyword:\\\\\\\\*\\\\\\\\IPC$ AND RelativeTargetName:\\"svcctl\\" AND Accesses.keyword:*WriteData*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Remote Service Activity Detected via SVCCTL named pipe\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(EventID:"5145" AND ShareName.keyword:\\\\*\\\\IPC$ AND RelativeTargetName:"svcctl" AND Accesses.keyword:*WriteData*)
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="5145" ShareName="\\\\*\\\\IPC$" RelativeTargetName="svcctl" Accesses="*WriteData*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*5145)(?=.*\\\\.*\\IPC\\$)(?=.*svcctl)(?=.*.*WriteData.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md b/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
index d41eb39..86fd5fe 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
@@ -49,6 +49,27 @@ fields:
 
 
 
+### es-qs
+    
+```
+(Image.keyword:*\\\\fltmc.exe AND CommandLine.keyword:*unload* AND CommandLine.keyword:*sys*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Sysmon-driver-unload <<EOF\n{\n  "metadata": {\n    "title": "Sysmon driver unload",\n    "description": "Detect possible Sysmon driver unload",\n    "tags": "",\n    "query": "(Image.keyword:*\\\\\\\\fltmc.exe AND CommandLine.keyword:*unload* AND CommandLine.keyword:*sys*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\fltmc.exe AND CommandLine.keyword:*unload* AND CommandLine.keyword:*sys*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Sysmon driver unload\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nCommandLine = {{_source.CommandLine}}\\n    Details = {{_source.Details}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:*\\\\fltmc.exe AND CommandLine.keyword:*unload* AND CommandLine.keyword:*sys*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ fields:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\fltmc.exe" CommandLine="*unload*" CommandLine="*sys*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\fltmc\\.exe)(?=.*.*unload.*)(?=.*.*sys.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md b/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
index 27cf81c..d28a09c 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
@@ -3,7 +3,7 @@
 | Description          | Detects a Windows program executable started in a suspicious folder                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1036: Masquerading](https://attack.mitre.org/techniques/T1036)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1036: Masquerading](../Triggers/T1036.md)</li></ul>  |
 | Severity Level       | high |
@@ -67,6 +67,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\*))))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/System-File-Execution-Location-Anomaly <<EOF\n{\n  "metadata": {\n    "title": "System File Execution Location Anomaly",\n    "description": "Detects a Windows program executable started in a suspicious folder",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.t1036"\n    ],\n    "query": "(Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\services.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\spoolsv.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\smss.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\conhost.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\winlogon.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*))))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\services.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\spoolsv.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\smss.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\conhost.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\winlogon.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*))))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'System File Execution Location Anomaly\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image.keyword:(*\\\\svchost.exe *\\\\rundll32.exe *\\\\services.exe *\\\\powershell.exe *\\\\regsvr32.exe *\\\\spoolsv.exe *\\\\lsass.exe *\\\\smss.exe *\\\\csrss.exe *\\\\conhost.exe *\\\\wininit.exe *\\\\lsm.exe *\\\\winlogon.exe *\\\\explorer.exe *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* C\\:\\\\Windows\\\\SysWow64\\\\* C\\:\\\\Windows\\\\explorer.exe C\\:\\\\Windows\\\\winsxs\\\\*))))
+```
+
+
 ### splunk
     
 ```
@@ -74,4 +95,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image IN ["*\\\\svchost.exe", "*\\\\rundll32.exe", "*\\\\services.exe", "*\\\\powershell.exe", "*\\\\regsvr32.exe", "*\\\\spoolsv.exe", "*\\\\lsass.exe", "*\\\\smss.exe", "*\\\\csrss.exe", "*\\\\conhost.exe", "*\\\\wininit.exe", "*\\\\lsm.exe", "*\\\\winlogon.exe", "*\\\\explorer.exe", "*\\\\taskhost.exe"]  -(Image IN ["C:\\\\Windows\\\\System32\\\\*", "C:\\\\Windows\\\\SysWow64\\\\*", "C:\\\\Windows\\\\explorer.exe", "C:\\\\Windows\\\\winsxs\\\\*"]))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\svchost\\.exe|.*.*\\rundll32\\.exe|.*.*\\services\\.exe|.*.*\\powershell\\.exe|.*.*\\regsvr32\\.exe|.*.*\\spoolsv\\.exe|.*.*\\lsass\\.exe|.*.*\\smss\\.exe|.*.*\\csrss\\.exe|.*.*\\conhost\\.exe|.*.*\\wininit\\.exe|.*.*\\lsm\\.exe|.*.*\\winlogon\\.exe|.*.*\\explorer\\.exe|.*.*\\taskhost\\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*|.*C:\\Windows\\SysWow64\\\\.*|.*C:\\Windows\\explorer\\.exe|.*C:\\Windows\\winsxs\\\\.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md b/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md
index 408fa65..7ce02c6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_termserv_proc_spawn.md
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentCommandLine.keyword:*\\\\svchost.exe*termsvcs AND (NOT (Image.keyword:*\\\\rdpclip.exe)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Terminal-Service-Process-Spawn <<EOF\n{\n  "metadata": {\n    "title": "Terminal Service Process Spawn",\n    "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)",\n    "tags": [\n      "car.2013-07-002"\n    ],\n    "query": "(ParentCommandLine.keyword:*\\\\\\\\svchost.exe*termsvcs AND (NOT (Image.keyword:*\\\\\\\\rdpclip.exe)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentCommandLine.keyword:*\\\\\\\\svchost.exe*termsvcs AND (NOT (Image.keyword:*\\\\\\\\rdpclip.exe)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Terminal Service Process Spawn\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentCommandLine.keyword:*\\\\svchost.exe*termsvcs AND (NOT (Image.keyword:*\\\\rdpclip.exe)))
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentCommandLine="*\\\\svchost.exe*termsvcs"  -(Image="*\\\\rdpclip.exe"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*\\svchost\\.exe.*termsvcs)(?=.*(?!.*(?:.*(?=.*.*\\rdpclip\\.exe)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md b/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
index 6a28fc4..6fc6daf 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_tool_psexec.md
@@ -3,7 +3,7 @@
 | Description          | Detects PsExec service installation and execution events (service and Sysmon)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1035: Service Execution](https://attack.mitre.org/techniques/T1035)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0031_7036_service_started_stopped](../Data_Needed/DN_0031_7036_service_started_stopped.md)</li><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0005_7045_windows_service_insatalled](../Data_Needed/DN_0005_7045_windows_service_insatalled.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0031_7036_service_started_stopped](../Data_Needed/DN_0031_7036_service_started_stopped.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1035: Service Execution](../Triggers/T1035.md)</li></ul>  |
 | Severity Level       | low |
@@ -70,6 +70,27 @@ detection:
 
 
 
+### es-qs
+    
+```
+(ServiceName:"PSEXESVC" AND ((EventID:"7045" AND ServiceFileName.keyword:*\\\\PSEXESVC.exe) OR EventID:"7036"))\n(Image.keyword:*\\\\PSEXESVC.exe AND User:"NT\\ AUTHORITY\\\\SYSTEM")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PsExec-Tool-Execution <<EOF\n{\n  "metadata": {\n    "title": "PsExec Tool Execution",\n    "description": "Detects PsExec service installation and execution events (service and Sysmon)",\n    "tags": [\n      "attack.execution",\n      "attack.t1035",\n      "attack.s0029"\n    ],\n    "query": "(ServiceName:\\"PSEXESVC\\" AND ((EventID:\\"7045\\" AND ServiceFileName.keyword:*\\\\\\\\PSEXESVC.exe) OR EventID:\\"7036\\"))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ServiceName:\\"PSEXESVC\\" AND ((EventID:\\"7045\\" AND ServiceFileName.keyword:*\\\\\\\\PSEXESVC.exe) OR EventID:\\"7036\\"))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PsExec Tool Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n          EventID = {{_source.EventID}}\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n      ServiceName = {{_source.ServiceName}}\\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\ncurl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/PsExec-Tool-Execution-2 <<EOF\n{\n  "metadata": {\n    "title": "PsExec Tool Execution",\n    "description": "Detects PsExec service installation and execution events (service and Sysmon)",\n    "tags": [\n      "attack.execution",\n      "attack.t1035",\n      "attack.s0029"\n    ],\n    "query": "(Image.keyword:*\\\\\\\\PSEXESVC.exe AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image.keyword:*\\\\\\\\PSEXESVC.exe AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'PsExec Tool Execution\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n          EventID = {{_source.EventID}}\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}\\n      ServiceName = {{_source.ServiceName}}\\n  ServiceFileName = {{_source.ServiceFileName}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ServiceName:"PSEXESVC" AND ((EventID:"7045" AND ServiceFileName.keyword:*\\\\PSEXESVC.exe) OR EventID:"7036"))\n(Image.keyword:*\\\\PSEXESVC.exe AND User:"NT AUTHORITY\\\\SYSTEM")
+```
+
+
 ### splunk
     
 ```
@@ -77,4 +98,18 @@ detection:
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" service="PSEXESVC" ((event_id="7045" ServiceFileName="*\\\\PSEXESVC.exe") OR event_id="7036"))\n(event_id="1" Image="*\\\\PSEXESVC.exe" User="NT AUTHORITY\\\\SYSTEM")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*PSEXESVC)(?=.*(?:.*(?:.*(?:.*(?=.*7045)(?=.*.*\\PSEXESVC\\.exe))|.*7036))))'\ngrep -P '^(?:.*(?=.*.*\\PSEXESVC\\.exe)(?=.*NT AUTHORITY\\SYSTEM))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md b/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md
index 9c8dbf4..3662a47 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_usb_device_plugged.md
@@ -3,7 +3,7 @@
 | Description          | Detects plugged USB devices                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1200: Hardware Additions](https://attack.mitre.org/techniques/T1200)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0053_2100_pnp_or_power_operation_for_usb_device](../Data_Needed/DN_0053_2100_pnp_or_power_operation_for_usb_device.md)</li><li>[DN_0052_2003_query_to_load_usb_drivers](../Data_Needed/DN_0052_2003_query_to_load_usb_drivers.md)</li><li>[DN_0054_2102_pnp_or_power_operation_for_usb_device](../Data_Needed/DN_0054_2102_pnp_or_power_operation_for_usb_device.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0053_2100_pnp_or_power_operation_for_usb_device](../Data_Needed/DN_0053_2100_pnp_or_power_operation_for_usb_device.md)</li><li>[DN_0054_2102_pnp_or_power_operation_for_usb_device](../Data_Needed/DN_0054_2102_pnp_or_power_operation_for_usb_device.md)</li><li>[DN_0052_2003_query_to_load_usb_drivers](../Data_Needed/DN_0052_2003_query_to_load_usb_drivers.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1200: Hardware Additions](../Triggers/T1200.md)</li></ul>  |
 | Severity Level       | low |
@@ -49,6 +49,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+EventID:("2003" OR "2100" OR "2102")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/USB-Device-Plugged <<EOF\n{\n  "metadata": {\n    "title": "USB Device Plugged",\n    "description": "Detects plugged USB devices",\n    "tags": [\n      "attack.initial_access",\n      "attack.t1200"\n    ],\n    "query": "EventID:(\\"2003\\" OR \\"2100\\" OR \\"2102\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:(\\"2003\\" OR \\"2100\\" OR \\"2102\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'USB Device Plugged\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+EventID:("2003" "2100" "2102")
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: low
 ```
 
 
+### logpoint
+    
+```
+(source="Microsoft-Windows-DriverFrameworks-UserMode/Operational" event_id IN ["2003", "2100", "2102"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*2003|.*2100|.*2102)'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md b/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md
index bbdd45c..d1f9715 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_user_added_to_local_administrators.md
@@ -50,6 +50,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((EventID:"4732" AND (GroupName:"Administrators" OR GroupSid:"S\\-1\\-5\\-32\\-544")) AND (NOT (SubjectUserName.keyword:*$)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/User-Added-to-Local-Administrators <<EOF\n{\n  "metadata": {\n    "title": "User Added to Local Administrators",\n    "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.t1078"\n    ],\n    "query": "((EventID:\\"4732\\" AND (GroupName:\\"Administrators\\" OR GroupSid:\\"S\\\\-1\\\\-5\\\\-32\\\\-544\\")) AND (NOT (SubjectUserName.keyword:*$)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"4732\\" AND (GroupName:\\"Administrators\\" OR GroupSid:\\"S\\\\-1\\\\-5\\\\-32\\\\-544\\")) AND (NOT (SubjectUserName.keyword:*$)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'User Added to Local Administrators\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"4732" AND (GroupName:"Administrators" OR GroupSid:"S\\-1\\-5\\-32\\-544")) AND (NOT (SubjectUserName.keyword:*$)))
+```
+
+
 ### splunk
     
 ```
@@ -57,4 +78,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" (event_id="4732" event_source="Microsoft-Windows-Security-Auditing" (group_name="Administrators" OR group_sid="S-1-5-32-544"))  -(SubjectUserName="*$"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*(?=.*4732)(?=.*(?:.*(?:.*Administrators|.*S-1-5-32-544)))))(?=.*(?!.*(?:.*(?=.*.*\\$)))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md b/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md
index 64a7cfb..db188f7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_user_creation.md
@@ -53,6 +53,27 @@ level: low
 
 
 
+### es-qs
+    
+```
+EventID:"4720"
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Detects-local-user-creation <<EOF\n{\n  "metadata": {\n    "title": "Detects local user creation",\n    "description": "Detects local user creation on windows servers, which shouldn\'t happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.",\n    "tags": [\n      "attack.persistence",\n      "attack.t1136"\n    ],\n    "query": "EventID:\\"4720\\""\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "EventID:\\"4720\\"",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Detects local user creation\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n    EventCode = {{_source.EventCode}}\\n  AccountName = {{_source.AccountName}}\\nAccountDomain = {{_source.AccountDomain}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+EventID:"4720"
+```
+
+
 ### splunk
     
 ```
@@ -60,4 +81,18 @@ EventID="4720" | table EventCode,AccountName,AccountDomain
 ```
 
 
+### logpoint
+    
+```
+(event_source="Microsoft-Windows-Security-Auditing" event_id="4720")
+```
+
+
+### grep
+    
+```
+grep -P '^4720'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md b/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
index 05bb26d..9af0f4a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_vul_java_remote_debugging.md
@@ -3,7 +3,7 @@
 | Description          | Detects a JAVA process running with remote debugging allowing more than just localhost to connect                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1046: Network Service Scanning](https://attack.mitre.org/techniques/T1046)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1046: Network Service Scanning](../Triggers/T1046.md)</li></ul>  |
 | Severity Level       | medium |
@@ -48,6 +48,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+(CommandLine.keyword:*transport\\=dt_socket,address\\=* AND (NOT (CommandLine.keyword:*address\\=127.0.0.1* OR CommandLine.keyword:*address\\=localhost*)))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Java-Running-with-Remote-Debugging <<EOF\n{\n  "metadata": {\n    "title": "Java Running with Remote Debugging",\n    "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect",\n    "tags": [\n      "attack.discovery",\n      "attack.t1046"\n    ],\n    "query": "(CommandLine.keyword:*transport\\\\=dt_socket,address\\\\=* AND (NOT (CommandLine.keyword:*address\\\\=127.0.0.1* OR CommandLine.keyword:*address\\\\=localhost*)))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(CommandLine.keyword:*transport\\\\=dt_socket,address\\\\=* AND (NOT (CommandLine.keyword:*address\\\\=127.0.0.1* OR CommandLine.keyword:*address\\\\=localhost*)))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Java Running with Remote Debugging\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(CommandLine.keyword:*transport=dt_socket,address=* AND (NOT (CommandLine.keyword:*address=127.0.0.1* OR CommandLine.keyword:*address=localhost*)))
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" CommandLine="*transport=dt_socket,address=*"  -(CommandLine="*address=127.0.0.1*" OR CommandLine="*address=localhost*"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*.*transport=dt_socket,address=.*)(?=.*(?!.*(?:.*(?:.*(?=.*.*address=127\\.0\\.0\\.1.*)|.*(?=.*.*address=localhost.*))))))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md b/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
index 766ca59..e44bee2 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_webshell_detection.md
@@ -3,7 +3,7 @@
 | Description          | Detects certain command line parameters often used during reconnaissance activity via web shells                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul>  |
 | Severity Level       | high |
@@ -63,6 +63,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND CommandLine.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Webshell-Detection-With-Command-Line-Keywords <<EOF\n{\n  "metadata": {\n    "title": "Webshell Detection With Command Line Keywords",\n    "description": "Detects certain command line parameters often used during reconnaissance activity via web shells",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.persistence",\n      "attack.t1100"\n    ],\n    "query": "(ParentImage.keyword:(*\\\\\\\\apache* OR *\\\\\\\\tomcat* OR *\\\\\\\\w3wp.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\httpd.exe) AND CommandLine.keyword:(*whoami* OR *net\\\\ user\\\\ * OR *ping\\\\ \\\\-n\\\\ * OR *systeminfo OR *&cd&echo* OR *cd\\\\ \\\\/d*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:(*\\\\\\\\apache* OR *\\\\\\\\tomcat* OR *\\\\\\\\w3wp.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\httpd.exe) AND CommandLine.keyword:(*whoami* OR *net\\\\ user\\\\ * OR *ping\\\\ \\\\-n\\\\ * OR *systeminfo OR *&cd&echo* OR *cd\\\\ \\\\/d*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Webshell Detection With Command Line Keywords\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:(*\\\\apache* *\\\\tomcat* *\\\\w3wp.exe *\\\\php\\-cgi.exe *\\\\nginx.exe *\\\\httpd.exe) AND CommandLine.keyword:(*whoami* *net user * *ping \\-n * *systeminfo *&cd&echo* *cd \\/d*))
+```
+
+
 ### splunk
     
 ```
@@ -70,4 +91,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage IN ["*\\\\apache*", "*\\\\tomcat*", "*\\\\w3wp.exe", "*\\\\php-cgi.exe", "*\\\\nginx.exe", "*\\\\httpd.exe"] CommandLine IN ["*whoami*", "*net user *", "*ping -n *", "*systeminfo", "*&cd&echo*", "*cd /d*"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\apache.*|.*.*\\tomcat.*|.*.*\\w3wp\\.exe|.*.*\\php-cgi\\.exe|.*.*\\nginx\\.exe|.*.*\\httpd\\.exe))(?=.*(?:.*.*whoami.*|.*.*net user .*|.*.*ping -n .*|.*.*systeminfo|.*.*&cd&echo.*|.*.*cd /d.*)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md b/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
index 585ef14..8de733a 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
@@ -3,7 +3,7 @@
 | Description          | Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1100: Web Shell](../Triggers/T1100.md)</li></ul>  |
 | Severity Level       | high |
@@ -56,6 +56,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe) AND Image.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Shells-Spawned-by-Web-Servers <<EOF\n{\n  "metadata": {\n    "title": "Shells Spawned by Web Servers",\n    "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.persistence",\n      "attack.t1100"\n    ],\n    "query": "(ParentImage.keyword:(*\\\\\\\\w3wp.exe OR *\\\\\\\\httpd.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\php\\\\-cgi.exe) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\powershell.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:(*\\\\\\\\w3wp.exe OR *\\\\\\\\httpd.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\php\\\\-cgi.exe) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\powershell.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Shells Spawned by Web Servers\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:(*\\\\w3wp.exe *\\\\httpd.exe *\\\\nginx.exe *\\\\php\\-cgi.exe) AND Image.keyword:(*\\\\cmd.exe *\\\\sh.exe *\\\\bash.exe *\\\\powershell.exe))
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage IN ["*\\\\w3wp.exe", "*\\\\httpd.exe", "*\\\\nginx.exe", "*\\\\php-cgi.exe"] Image IN ["*\\\\cmd.exe", "*\\\\sh.exe", "*\\\\bash.exe", "*\\\\powershell.exe"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\w3wp\\.exe|.*.*\\httpd\\.exe|.*.*\\nginx\\.exe|.*.*\\php-cgi\\.exe))(?=.*(?:.*.*\\cmd\\.exe|.*.*\\sh\\.exe|.*.*\\bash\\.exe|.*.*\\powershell\\.exe)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md b/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md
index db6f29d..d3d2608 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_win10_sched_task_0day.md
@@ -3,7 +3,7 @@
 | Description          | Detects Task Scheduler .job import arbitrary DACL write\par                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1053: Scheduled Task](https://attack.mitre.org/techniques/T1053)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1053: Scheduled Task](../Triggers/T1053.md)</li></ul>  |
 | Severity Level       | high |
@@ -49,6 +49,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image:"schtasks.exe" AND CommandLine.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Windows-10-scheduled-task-SandboxEscaper-0-day <<EOF\n{\n  "metadata": {\n    "title": "Windows 10 scheduled task SandboxEscaper 0-day",\n    "description": "Detects Task Scheduler .job import arbitrary DACL write\\\\par",\n    "tags": [\n      "attack.privilege_escalation",\n      "attack.execution",\n      "attack.t1053",\n      "car.2013-08-001"\n    ],\n    "query": "(Image:\\"schtasks.exe\\" AND CommandLine.keyword:*\\\\/change*\\\\/TN*\\\\/RU*\\\\/RP*)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image:\\"schtasks.exe\\" AND CommandLine.keyword:*\\\\/change*\\\\/TN*\\\\/RU*\\\\/RP*)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Windows 10 scheduled task SandboxEscaper 0-day\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image:"schtasks.exe" AND CommandLine.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="schtasks.exe" CommandLine="*/change*/TN*/RU*/RP*")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*schtasks\\.exe)(?=.*.*/change.*/TN.*/RU.*/RP.*))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md
index 9ea8d62..b8774c3 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_backdoor_exchange_transport_agent.md
@@ -3,7 +3,7 @@
 | Description          | Detects a WMi backdoor in Exchange Transport Agents via WMi event filters                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](https://attack.mitre.org/techniques/T1084)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1084: Windows Management Instrumentation Event Subscription](../Triggers/T1084.md)</li></ul>  |
 | Severity Level       | critical |
@@ -48,6 +48,27 @@ level: critical
 
 
 
+### es-qs
+    
+```
+ParentImage.keyword:*\\\\EdgeTransport.exe
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WMI-Backdoor-Exchange-Transport-Agent <<EOF\n{\n  "metadata": {\n    "title": "WMI Backdoor Exchange Transport Agent",\n    "description": "Detects a WMi backdoor in Exchange Transport Agents via WMi event filters",\n    "tags": [\n      "attack.persistence",\n      "attack.t1084"\n    ],\n    "query": "ParentImage.keyword:*\\\\\\\\EdgeTransport.exe"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "ParentImage.keyword:*\\\\\\\\EdgeTransport.exe",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WMI Backdoor Exchange Transport Agent\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+ParentImage.keyword:*\\\\EdgeTransport.exe
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ ParentImage="*\\\\EdgeTransport.exe"
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage="*\\\\EdgeTransport.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\EdgeTransport\\.exe'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
index 9676b49..b7c83e6 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence.md
@@ -3,7 +3,7 @@
 | Description          | Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0080_5859_wmi_activity](../Data_Needed/DN_0080_5859_wmi_activity.md)</li><li>[DN_0081_5861_wmi_activity](../Data_Needed/DN_0081_5861_wmi_activity.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0081_5861_wmi_activity](../Data_Needed/DN_0081_5861_wmi_activity.md)</li><li>[DN_0080_5859_wmi_activity](../Data_Needed/DN_0080_5859_wmi_activity.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
 | Severity Level       | medium |
@@ -56,6 +56,27 @@ level: medium
 
 
 
+### es-qs
+    
+```
+((EventID:"5861" AND Message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR EventID:"5859")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WMI-Persistence <<EOF\n{\n  "metadata": {\n    "title": "WMI Persistence",\n    "description": "Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)",\n    "tags": [\n      "attack.execution",\n      "attack.persistence",\n      "attack.t1047"\n    ],\n    "query": "((EventID:\\"5861\\" AND Message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR EventID:\\"5859\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((EventID:\\"5861\\" AND Message.keyword:(*ActiveScriptEventConsumer* OR *CommandLineEventConsumer* OR *CommandLineTemplate*)) OR EventID:\\"5859\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WMI Persistence\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((EventID:"5861" AND Message.keyword:(*ActiveScriptEventConsumer* *CommandLineEventConsumer* *CommandLineTemplate*)) OR EventID:"5859")
+```
+
+
 ### splunk
     
 ```
@@ -63,4 +84,18 @@ level: medium
 ```
 
 
+### logpoint
+    
+```
+((event_id="5861" Message IN ["*ActiveScriptEventConsumer*", "*CommandLineEventConsumer*", "*CommandLineTemplate*"]) OR event_id="5859")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*5861)(?=.*(?:.*.*ActiveScriptEventConsumer.*|.*.*CommandLineEventConsumer.*|.*.*CommandLineTemplate.*)))|.*5859))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
index a22a74e..32c865f 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
@@ -3,7 +3,7 @@
 | Description          | Detects WMI script event consumers                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul>  |
 | Severity Level       | high |
@@ -48,6 +48,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(Image:"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe" AND ParentImage:"C\\:\\\\Windows\\\\System32\\\\svchost.exe")
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WMI-Persistence---Script-Event-Consumer <<EOF\n{\n  "metadata": {\n    "title": "WMI Persistence - Script Event Consumer",\n    "description": "Detects WMI script event consumers",\n    "tags": [\n      "attack.execution",\n      "attack.persistence",\n      "attack.t1047"\n    ],\n    "query": "(Image:\\"C\\\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\wbem\\\\\\\\scrcons.exe\\" AND ParentImage:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\")"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(Image:\\"C\\\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\wbem\\\\\\\\scrcons.exe\\" AND ParentImage:\\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\")",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WMI Persistence - Script Event Consumer\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(Image:"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe" AND ParentImage:"C\\:\\\\Windows\\\\System32\\\\svchost.exe")
+```
+
+
 ### splunk
     
 ```
@@ -55,4 +76,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe" ParentImage="C:\\\\Windows\\\\System32\\\\svchost.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*C:\\WINDOWS\\system32\\wbem\\scrcons\\.exe)(?=.*C:\\Windows\\System32\\svchost\\.exe))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md
index 18c07a4..43cfaf7 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_wmi_spwns_powershell.md
@@ -3,7 +3,7 @@
 | Description          | Detects WMI spawning PowerShell                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1064: Scripting](https://attack.mitre.org/techniques/T1064)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1064: Scripting](../Triggers/T1064.md)</li></ul>  |
 | Severity Level       | high |
@@ -52,6 +52,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+(ParentImage.keyword:(*\\\\wmiprvse.exe) AND Image.keyword:(*\\\\powershell.exe))
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/WMI-Spawning-Windows-PowerShell <<EOF\n{\n  "metadata": {\n    "title": "WMI Spawning Windows PowerShell",\n    "description": "Detects WMI spawning PowerShell",\n    "tags": [\n      "attack.execution",\n      "attack.defense_evasion",\n      "attack.t1064"\n    ],\n    "query": "(ParentImage.keyword:(*\\\\\\\\wmiprvse.exe) AND Image.keyword:(*\\\\\\\\powershell.exe))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(ParentImage.keyword:(*\\\\\\\\wmiprvse.exe) AND Image.keyword:(*\\\\\\\\powershell.exe))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'WMI Spawning Windows PowerShell\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+(ParentImage.keyword:(*\\\\wmiprvse.exe) AND Image.keyword:(*\\\\powershell.exe))
+```
+
+
 ### splunk
     
 ```
@@ -59,4 +80,18 @@ level: high
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ParentImage IN ["*\\\\wmiprvse.exe"] Image IN ["*\\\\powershell.exe"])
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?=.*(?:.*.*\\wmiprvse\\.exe))(?=.*(?:.*.*\\powershell\\.exe)))'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md b/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
index 670293c..1885503 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_workflow_compiler.md
@@ -3,7 +3,7 @@
 | Description          | Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.                                                                                                                                           |
 | ATT&amp;CK Tactic    |  <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul>  |
 | ATT&amp;CK Technique | <ul><li>[T1127: Trusted Developer Utilities](https://attack.mitre.org/techniques/T1127)</li></ul>  |
-| Data Needed          | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul>  |
+| Data Needed          | <ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li></ul>  |
 | Enrichment           |  Data for this Detection Rule doesn't require any Enrichments.  |
 | Trigger              | <ul><li>[T1127: Trusted Developer Utilities](../Triggers/T1127.md)</li></ul>  |
 | Severity Level       | high |
@@ -49,6 +49,27 @@ level: high
 
 
 
+### es-qs
+    
+```
+Image.keyword:*\\\\Microsoft.Workflow.Compiler.exe
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/Microsoft-Workflow-Compiler <<EOF\n{\n  "metadata": {\n    "title": "Microsoft Workflow Compiler",\n    "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.",\n    "tags": [\n      "attack.defense_evasion",\n      "attack.execution",\n      "attack.t1127"\n    ],\n    "query": "Image.keyword:*\\\\\\\\Microsoft.Workflow.Compiler.exe"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "Image.keyword:*\\\\\\\\Microsoft.Workflow.Compiler.exe",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Microsoft Workflow Compiler\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+Image.keyword:*\\\\Microsoft.Workflow.Compiler.exe
+```
+
+
 ### splunk
     
 ```
@@ -56,4 +77,18 @@ Image="*\\\\Microsoft.Workflow.Compiler.exe" | table CommandLine,ParentCommandLi
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" Image="*\\\\Microsoft.Workflow.Compiler.exe")
+```
+
+
+### grep
+    
+```
+grep -P '^.*\\Microsoft\\.Workflow\\.Compiler\\.exe'
+```
+
+
 
diff --git a/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md b/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md
index 93ad66e..cb4fbe9 100644
--- a/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md
+++ b/Atomic_Threat_Coverage/Detection_Rules/win_xsl_script_processing.md
@@ -51,6 +51,27 @@ tags:
 
 
 
+### es-qs
+    
+```
+((Image.keyword:*\\\\wmic.exe AND CommandLine.keyword:*\\/format*) OR Image.keyword:*\\\\msxsl.exe)
+```
+
+
+### xpack-watcher
+    
+```
+curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/XSL-Script-Processing <<EOF\n{\n  "metadata": {\n    "title": "XSL Script Processing",\n    "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses",\n    "tags": [\n      "attack.execution",\n      "attack.t1220"\n    ],\n    "query": "((Image.keyword:*\\\\\\\\wmic.exe AND CommandLine.keyword:*\\\\/format*) OR Image.keyword:*\\\\\\\\msxsl.exe)"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "((Image.keyword:*\\\\\\\\wmic.exe AND CommandLine.keyword:*\\\\/format*) OR Image.keyword:*\\\\\\\\msxsl.exe)",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'XSL Script Processing\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n
+```
+
+
+### graylog
+    
+```
+((Image.keyword:*\\\\wmic.exe AND CommandLine.keyword:*\\/format*) OR Image.keyword:*\\\\msxsl.exe)
+```
+
+
 ### splunk
     
 ```
@@ -58,4 +79,18 @@ tags:
 ```
 
 
+### logpoint
+    
+```
+(event_id="1" ((Image="*\\\\wmic.exe" CommandLine="*/format*") OR Image="*\\\\msxsl.exe"))
+```
+
+
+### grep
+    
+```
+grep -P '^(?:.*(?:.*(?:.*(?=.*.*\\wmic\\.exe)(?=.*.*/format.*))|.*.*\\msxsl\\.exe))'
+```
+
+
 
diff --git a/analytics/generated/analytics.csv b/analytics/generated/analytics.csv
index 1447539..76334d8 100644
--- a/analytics/generated/analytics.csv
+++ b/analytics/generated/analytics.csv
@@ -1,109 +1,9 @@
 customer,tactic,technique,detection_rule,category,platform,type,channel,provider,data_needed,logging policy,enrichment,enrichment requirements,response playbook,response action
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1208: Kerberoasting,Suspicious Kerberos RC4 Ticket Encryption,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,SAM Dump to AppData,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,,,-,title
-None,TA0005: Defense Evasion,T1099: Timestomp,Unauthorized System Time Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0003: Persistence,T1053: Scheduled Task,Persistence and Execution at scale via GPO scheduled task,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1053: Scheduled Task,Persistence and Execution at scale via GPO scheduled task,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
-None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
-None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz DC Sync,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,RDP Login from localhost,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,AD Privileged Users or Groups Reconnaissance,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,AD Privileged Users or Groups Reconnaissance,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,-,,,-,title
-None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,-,,,-,title
-None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,-,,,-,title
-None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,-,,,-,title
-None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1075: Pass the Hash,NTLM Logon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1078: Valid Accounts,Admin User Remote Logon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0003: Persistence,T1136: Create Account,Detects local user creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0003: Persistence,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1075: Pass the Hash,Successful Overpass the Hash Attempt,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Security Eventlog Cleared,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,-,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Security Eventlog Cleared,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,-,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Eventlog Cleared,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,-,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Loaded the CallOut DLL,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,-,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0001: Initial Access,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0008: Lateral Movement,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0001: Initial Access,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0008: Lateral Movement,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
-None,TA0008: Lateral Movement,T1077: Windows Admin Shares,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0008: Lateral Movement,T1035: Service Execution,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0002: Execution,T1077: Windows Admin Shares,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0002: Execution,T1035: Service Execution,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS Server Error Failed Loading the ServerLevelPluginDLL,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,-,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS Server Error Failed Loading the ServerLevelPluginDLL,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,-,,,-,title
-None,TA0003: Persistence,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0004: Privilege Escalation,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0008: Lateral Movement,T1077: Windows Admin Shares,First time seen remote named pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
 None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
 None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
 None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
@@ -152,5533 +52,146 @@ None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Wi
 None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
 None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
 None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0103_windows_audit_registry,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0028_windows_audit_sam,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0041_windows_audit_other_object_access_events,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0027_windows_audit_directory_service_access,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0044_windows_ntlm_audit,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0046_windows_audit_security_state_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0105_windows_audit_authorization_policy_change,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0100_windows_audit_security_system_extension,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0011_windows_sysmon_DnsQuery,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0028_windows_audit_sam,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Use,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Security Eventlog Cleared,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,-,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Security Eventlog Cleared,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,-,,,-,title
+None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0004_windows_audit_logon,,,-,title
+None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
+None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
+None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,LP_0100_windows_audit_security_system_extension,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Malicious Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
+None,TA0008: Lateral Movement,T1053: Scheduled Task,Remote Task Creation via ATSVC named pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Remote Task Creation via ATSVC named pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
+None,TA0001: Initial Access,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0008: Lateral Movement,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0001: Initial Access,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0008: Lateral Movement,T1190: Exploit Public-Facing Application,Potential RDP exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
+None,TA0008: Lateral Movement,T1075: Pass the Hash,Successful Overpass the Hash Attempt,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0003: Persistence,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0004: Privilege Escalation,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0003: Persistence,T1136: Create Account,Detects local user creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
 None,TA0004: Privilege Escalation,T1078: Valid Accounts,Enabled User Right in AD to Control User Objects,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0105_windows_audit_authorization_policy_change,,,-,title
+None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Possible Impacket SecretDump remote activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0005: Defense Evasion,T1099: Timestomp,Unauthorized System Time Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
+None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Scanner PoC for CVE-2019-0708 RDP RCE vuln,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz DC Sync,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Persistence and Execution at scale via GPO scheduled task,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0008: Lateral Movement,T1053: Scheduled Task,Persistence and Execution at scale via GPO scheduled task,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
+None,TA0003: Persistence,T1098: Account Manipulation,Password Change on Directory Service Restore Mode (DSRM) Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0004: Privilege Escalation,T1098: Account Manipulation,Password Change on Directory Service Restore Mode (DSRM) Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0005: Defense Evasion,T1054: Indicator Blocking,Disabling Windows Event Auditing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,-,,,-,title
+None,TA0008: Lateral Movement,T1075: Pass the Hash,NTLM Logon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0044_windows_ntlm_audit,,,-,title
 None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Error Failed Loading the CallOut DLL,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,-,,,-,title
 None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Error Failed Loading the CallOut DLL,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,-,,,-,title
 None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Error Failed Loading the CallOut DLL,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,-,,,-,title
-None,TA0005: Defense Evasion,T1054: Indicator Blocking,Disabling Windows Event Auditing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,-,,,-,title
-None,TA0003: Persistence,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0004: Privilege Escalation,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
-None,TA0003: Persistence,T1098: Account Manipulation,Password Change on Directory Service Restore Mode (DSRM) Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0004: Privilege Escalation,T1098: Account Manipulation,Password Change on Directory Service Restore Mode (DSRM) Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0004: Privilege Escalation,T1078: Valid Accounts,User Added to Local Administrators,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0101_windows_audit_security_group_management,,,-,title
 None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Suspicious PsExec execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,SAM Dump to AppData,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,RDP Login from localhost,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
 None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
 None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0004_windows_audit_logon,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
 None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
 None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
-None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Weak Encryption Enabled and Kerberoast,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
-None,TA0008: Lateral Movement,T1077: Windows Admin Shares,First time seen remote named pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,-,,,-,title
-None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,-,,,-,title
-None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Possible Impacket SecretDump remote activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
-None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Access to ADMIN$ Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0030_windows_audit_file_share,,,-,title
-None,TA0004: Privilege Escalation,T1078: Valid Accounts,User Added to Local Administrators,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0101_windows_audit_security_group_management,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1208: Kerberoasting,Suspicious Kerberos RC4 Ticket Encryption,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
+None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0003: Persistence,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0004: Privilege Escalation,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0008: Lateral Movement,T1078: Valid Accounts,Admin User Remote Logon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
+None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
+None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
+None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
+None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
+None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS Server Error Failed Loading the ServerLevelPluginDLL,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,-,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS Server Error Failed Loading the ServerLevelPluginDLL,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,-,,,-,title
 None,TA0005: Defense Evasion,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
 None,TA0011: Command and Control,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
-None,TA0008: Lateral Movement,T1053: Scheduled Task,Remote Task Creation via ATSVC named pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0003: Persistence,T1053: Scheduled Task,Remote Task Creation via ATSVC named pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
-None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Scanner PoC for CVE-2019-0708 RDP RCE vuln,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0008: Lateral Movement,T1077: Windows Admin Shares,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0008: Lateral Movement,T1035: Service Execution,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0002: Execution,T1077: Windows Admin Shares,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0002: Execution,T1035: Service Execution,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Eventlog Cleared,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,-,,,-,title
+None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Weak Encryption Enabled and Kerberoast,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,-,,,-,title
+None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0103_windows_audit_registry,,,-,title
+None,TA0004: Privilege Escalation,T1171: LLMNR/NBT-NS Poisoning and Relay,RottenPotato Like Attack Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0006: Credential Access,T1171: LLMNR/NBT-NS Poisoning and Relay,RottenPotato Like Attack Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Access to ADMIN$ Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0030_windows_audit_file_share,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
+None,TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
+None,TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Loaded the CallOut DLL,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,-,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,AD Privileged Users or Groups Reconnaissance,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,AD Privileged Users or Groups Reconnaissance,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
 None,TA0003: Persistence,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
 None,TA0003: Persistence,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
 None,TA0004: Privilege Escalation,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
@@ -5691,876 +204,906 @@ None,TA0003: Persistence,T1078: Valid Accounts,Multiple Failed Logins with Diffe
 None,TA0003: Persistence,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0107_windows_audit_credential_validation,,,-,title
 None,TA0004: Privilege Escalation,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
 None,TA0004: Privilege Escalation,T1078: Valid Accounts,Multiple Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0107_windows_audit_credential_validation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Antivirus Web Shell Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0104_windows_audit_removable_storage,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0102_windows_audit_file_system,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0039_windows_audit_kernel_object,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0103_windows_audit_registry,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
+None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,-,,,-,title
+None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,-,,,-,title
+None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,-,,,-,title
 None,TA0002: Execution,T1203: Exploitation for Client Execution,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
 None,TA0002: Execution,T1219: Remote Access Tools,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
 None,TA0011: Command and Control,T1203: Exploitation for Client Execution,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
 None,TA0011: Command and Control,T1219: Remote Access Tools,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
 None,TA0006: Credential Access,T1003: Credential Dumping,Antivirus Password Dumper Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Antivirus Web Shell Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
 None,TA0002: Execution,T1112: Modify Registry,Ursnif,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
-None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Rare Scheduled Task Creations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,-,,,-,title
 None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,-,,,-,title
 None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
 None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1053: Scheduled Task,Rare Scheduled Task Creations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,-,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0006: Credential Access,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
+None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell PSAttack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
 None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell called from an Executable Version Mismatch,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
 None,TA0002: Execution,T1086: PowerShell,PowerShell called from an Executable Version Mismatch,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
+None,TA0003: Persistence,T1004: Winlogon Helper DLL,Winlogon Helper DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
 None,TA0004: Privilege Escalation,T1055: Process Injection,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
 None,TA0004: Privilege Escalation,T1086: PowerShell,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
 None,TA0002: Execution,T1055: Process Injection,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
 None,TA0002: Execution,T1086: PowerShell,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell PSAttack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Specific,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Specific,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
-None,TA0002: Execution,T1064: Scripting,LockerGoga Ransomware,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,LockerGoga Ransomware,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,LockerGoga Ransomware,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,LockerGoga Ransomware,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,LockerGoga Ransomware,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,LockerGoga Ransomware,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocation based on Parent Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as LOCAL_SYSTEM,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Windows Kernel and 3rd-party drivers exploits. Token stealing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Windows Kernel and 3rd-party drivers exploits. Token stealing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info,-,-
-None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1175: Distributed Component Object Model,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1175: Distributed Component Object Model,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1175: Distributed Component Object Model,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1175: Distributed Component Object Model,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1175: Distributed Component Object Model,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1175: Distributed Component Object Model,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0006: Credential Access,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,-,,,-,title
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
 None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1208: Kerberoasting,Possible SPN Enumeration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 TESTCUSTOMER,TA0005: Defense Evasion,T1158: Hidden Files and Directories,Hiding files with attrib.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 TESTCUSTOMER,TA0003: Persistence,T1158: Hidden Files and Directories,Hiding files with attrib.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Renamed Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Process dump via comsvcs DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocation based on Parent Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Renamed Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,-,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Windows Kernel and 3rd-party drivers exploits. Token stealing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Windows Kernel and 3rd-party drivers exploits. Token stealing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info,-,-
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0005: Defense Evasion,T1047: Windows Management Instrumentation,SquiblyTwo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Detection of PowerShell Execution via DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Windows Shell Spawning Suspicious Program,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Windows Shell Spawning Suspicious Program,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1208: Kerberoasting,Possible SPN Enumeration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0002: Execution,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0003: Persistence,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0004: Privilege Escalation,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Execution of Renamed PaExec,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0011: Command and Control,T1219: Remote Access Tools,Suspicious TSCON Start,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0005: Defense Evasion,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0004: Privilege Escalation,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0004: Privilege Escalation,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0002: Execution,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER2;TESTCUSTOMER,TA0005: Defense Evasion,T1047: Windows Management Instrumentation,SquiblyTwo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Windows Shell Spawning Suspicious Program,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Windows Shell Spawning Suspicious Program,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable used by PlugX in Uncommon Location - Sysmon Version,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1170: Mshta,MSHTA spwaned by SVCHOST as seen in LethalHTA,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as LOCAL_SYSTEM,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious Base64 encoded PowerShell Keywords in command lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Activity Related to NTDS.dit Domain Hash Retrieval,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Exploiting CVE-2019-1388,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0010: Exfiltration,T1020: Automated Exfiltration,Suspicious Compression Tool Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0010: Exfiltration,T1002: Data Compressed,Suspicious Compression Tool Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0011: Command and Control,T1219: Remote Access Tools,Suspicious TSCON Start,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0005: Defense Evasion,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0005: Defense Evasion,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0004: Privilege Escalation,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0004: Privilege Escalation,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0002: Execution,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER;TESTCUSTOMER2,TA0002: Execution,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1070: Indicator Removal on Host,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1067: Bootkit,Possible Ransomware or unauthorized MBR modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1070: Indicator Removal on Host,Suspicious eventlog clear or configuration using wevtutil,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1047: Windows Management Instrumentation,Impacket Lateralization Detection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,Impacket Lateralization Detection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Process dump via comsvcs DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
@@ -6574,19 +1117,6 @@ None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Ex
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
-None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
@@ -6600,216 +1130,507 @@ None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Ex
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
 None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
-None,TA0002: Execution,T1086: PowerShell,Detection of PowerShell Execution via DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,-,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,-,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Suspicious Outbound RDP Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0005: Defense Evasion,T1055: Process Injection,Malware Shellcode in Verclsid Target Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0004: Privilege Escalation,T1055: Process Injection,Malware Shellcode in Verclsid Target Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0002: Execution,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Detection LSASS Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz In-Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz In-Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Detection of SafetyKatz,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Suspicious Scripting in a WMI Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0004: Privilege Escalation,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0003: Persistence,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0005: Defense Evasion,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0002: Execution,T1086: PowerShell,PowerShell Network Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0005: Defense Evasion,T1055: Process Injection,CobaltStrike Process Injection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0003: Persistence,T1050: New Service,Suspicious Driver Load from Temp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Command Line Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Remote Thread in LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Executable in ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,-,,,-,title
-None,TA0006: Credential Access,T1003: Credential Dumping,QuarksPwDump Dump File,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0002: Execution,T1055: Process Injection,CACTUSTORCH Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0002: Execution,T1064: Scripting,CACTUSTORCH Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
-None,TA0008: Lateral Movement,T1105: Remote File Copy,Microsoft Binary Suspicious Communication Endpoint,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0008: Lateral Movement,T1105: Remote File Copy,Microsoft Binary Github Communication,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0011: Command and Control,T1043: Commonly Used Port,Suspicious Typical Malware Back Connect Ports,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
-None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Script Event Consumer File Write,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0005: Defense Evasion,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0002: Execution,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0004: Privilege Escalation,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0004: Privilege Escalation,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
-None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Registry Persistence via Explorer Run Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1055: Process Injection,Exploiting SetupComplete.cmd CVE-2019-1378,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1055: Process Injection,Exploiting SetupComplete.cmd CVE-2019-1378,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
 None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
 None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Possible Process Hollowing Image Loading,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
-None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlet Names,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
-None,TA0002: Execution,T1053: Scheduled Task,Windows 10 scheduled task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
-None,TA0005: Defense Evasion,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
-None,TA0011: Command and Control,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0001_identification_get_original_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0002_identification_extract_observables_from_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0003_identification_make_sure_email_is_a_phising
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0004_identification_analyse_obtained_indicators_of_compromise
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0005_identification_find_all_phising_attack_victims
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0040_identification_put_on_monitoring_compromised_accounts
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0006_containment_block_domain_on_email
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0028_containment_block_threat_on_network_level
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0010_eradication_delete_malicious_emails
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0011_eradication_revoke_compromised_credentials
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0012_eradication_report_phishing_attack_to_external_companies
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0013_lessons_learned_develop_incident_report
+None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_0014_lessons_learned_conduct_lessons_learned_exercise
+TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Execution of Renamed PaExec,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Detection LSASS Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+None,TA0003: Persistence,T1050: New Service,Suspicious Driver Load from Temp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
 None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
 None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
@@ -6818,11 +1639,213 @@ None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via E
 None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
 None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
 None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
-None,TA0003: Persistence,T1011: Exfiltration Over Other Network Medium,Security Support Provider (SSP) added to LSA configuration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
-None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,New RUN Key Pointing to Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
+None,TA0005: Defense Evasion,T1055: Process Injection,CobaltStrike Process Injection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
 None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Callout DLL installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
 None,TA0005: Defense Evasion,T1112: Modify Registry,DHCP Callout DLL installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,-,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1105: Remote File Copy,Microsoft Binary Github Communication,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Detection of SafetyKatz,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0005: Defense Evasion,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0011: Command and Control,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1122: Component Object Model Hijacking,Windows Registry Persistence - COM key linking,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0005: Defense Evasion,T1055: Process Injection,Malware Shellcode in Verclsid Target Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+None,TA0004: Privilege Escalation,T1055: Process Injection,Malware Shellcode in Verclsid Target Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,QuarksPwDump Dump File,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0002: Execution,T1177: LSASS Driver,DLL Load via LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0002: Execution,T1177: LSASS Driver,DLL Load via LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
 None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
 None,TA0006: Credential Access,T1028: Windows Remote Management,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
 None,TA0002: Execution,T1003: Credential Dumping,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
 None,TA0002: Execution,T1028: Windows Remote Management,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+None,TA0003: Persistence,T1073: DLL Side-Loading,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0003: Persistence,T1038: DLL Search Order Hijacking,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0003: Persistence,T1112: Modify Registry,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1038: DLL Search Order Hijacking,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1112: Modify Registry,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Script Event Consumer File Write,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Suspicious Scripting in a WMI Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0002: Execution,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Command Line Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlet Names,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Suspicious RUN Key from Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1011: Exfiltration Over Other Network Medium,Security Support Provider (SSP) added to LSA configuration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Executable in ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,-,,,-,title
+None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,New RUN Key Pointing to Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Network Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Possible Process Hollowing Image Loading,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0011: Command and Control,T1043: Commonly Used Port,Suspicious Typical Malware Back Connect Ports,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Registry Persistence via Explorer Run Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0008: Lateral Movement,T1105: Remote File Copy,Microsoft Binary Suspicious Communication Endpoint,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0005: Defense Evasion,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0002: Execution,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0002: Execution,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
+None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
+None,TA0004: Privilege Escalation,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
+None,TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
+None,TA0004: Privilege Escalation,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Remote Thread in LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Suspicious Outbound RDP Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
+None,TA0002: Execution,T1055: Process Injection,CACTUSTORCH Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0002: Execution,T1064: Scripting,CACTUSTORCH Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
+None,TA0003: Persistence,T1100: Web Shell,Windows webshell creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
+None,TA0004: Privilege Escalation,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0003: Persistence,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0005: Defense Evasion,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
+None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz In-Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
+None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz In-Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
diff --git a/analytics/generated/atc_es_index.json b/analytics/generated/atc_es_index.json
index 2102dfa..7fed3f2 100644
--- a/analytics/generated/atc_es_index.json
+++ b/analytics/generated/atc_es_index.json
@@ -1,466 +1,558 @@
-{"index": {"_id": 5619585470437937992}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Relevant Anti-Virus Event", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -691159440462865569}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery", "T1069: Permission Groups Discovery"], "detection_rule": "Reconnaissance Activity", "detection_rule_author": "Florian Roth (rule), Jack Croock (method)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0029_4661_handle_to_an_object_was_requested"], "logging_policy": ["LP_0028_windows_audit_sam", "LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6472842764049556221}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1208: Kerberoasting"], "detection_rule": "Suspicious Kerberos RC4 Ticket Encryption", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0077_4769_kerberos_service_ticket_was_requested"], "logging_policy": ["LP_0106_windows_audit_kerberos_service_ticket_operations"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -471021048099822137}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "SAM Dump to AppData", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Kernel-General"], "data_needed": ["DN_0083_16_access_history_in_hive_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2551712999465071090}}
-{"date_created": "2019-02-05T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1099: Timestomp"], "detection_rule": "Unauthorized System Time Modification", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0088_4616_system_time_was_changed"], "logging_policy": ["LP_0046_windows_audit_security_state_change"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1230863875832694224}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0008: Lateral Movement"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Persistence and Execution at scale via GPO scheduled task", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7810830097344696488}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Malicious Service Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System", "Security"], "provider": ["Service Control Manager", "Microsoft-Windows-Kernel-General", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0083_16_access_history_in_hive_was_cleared", "DN_0063_4697_service_was_installed_in_the_system"], "logging_policy": ["not defined", "LP_0100_windows_audit_security_system_extension"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7470639705880869595}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Account Tampering - Suspicious Failed Logon Reasons", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3744645784028087989}}
-{"date_created": "2018-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz DC Sync", "detection_rule_author": "Benjamin Delpy, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7403466739081761245}}
-{"date_created": "2019-01-28T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "RDP Login from localhost", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3075716859032926378}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0003: Persistence"], "technique": ["not defined"], "detection_rule": "Remote Service Activity Detected via SVCCTL named pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5127364627705951978}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery"], "detection_rule": "AD Privileged Users or Groups Reconnaissance", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0029_4661_handle_to_an_object_was_requested"], "logging_policy": ["LP_0028_windows_audit_sam", "LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1402963077448082875}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1107: File Deletion", "T1066: Indicator Removal from Tools"], "detection_rule": "Secure Deletion with SDelete", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0060_4658_handle_to_an_object_was_closed", "DN_0058_4656_handle_to_an_object_was_requested", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7279272839753483916}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "Pass the Hash Activity", "detection_rule_author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "production", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1239650723211446851}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0003: Persistence"], "technique": ["T1098: Account Manipulation"], "detection_rule": "Active Directory User Backdoors", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0026_5136_windows_directory_service_object_was_modified", "DN_0027_4738_user_account_was_changed"], "logging_policy": ["not defined", "LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 289893035300680788}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1178: SID-History Injection"], "detection_rule": "Addition of SID History to Active Directory Object", "detection_rule_author": "Thomas Patzke, @atc_project (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0074_4765_sid_history_was_added_to_an_account", "DN_0027_4738_user_account_was_changed", "DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4119493232626179015}}
-{"date_created": "2018-06-08T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "NTLM Logon", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-NTLM/Operational"], "provider": ["Microsoft-Windows-NTLM"], "data_needed": ["DN_0082_8002_ntlm_server_blocked_audit"], "logging_policy": ["LP_0044_windows_ntlm_audit"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 9003373623296715330}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Admin User Remote Logon", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4994555292121376454}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1136: Create Account"], "detection_rule": "Detects local user creation", "detection_rule_author": "Patrick Bareiss", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0086_4720_user_account_was_created"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 9056994035629420044}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Rare Schtasks Creations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0064_4698_scheduled_task_was_created"], "logging_policy": ["LP_0041_windows_audit_other_object_access_events"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7746245141423051694}}
-{"date_created": "2018-02-12T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "Successful Overpass the Hash Attempt", "detection_rule_author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1051544051986185707}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Security Eventlog Cleared", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Eventlog"], "data_needed": ["DN_0050_1102_audit_log_was_cleared", "DN_0038_1102_the_audit_log_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8248476822416704713}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Eventlog Cleared", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Eventlog"], "data_needed": ["DN_0034_104_log_file_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2810404487645632244}}
-{"date_created": "2019-04-03T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0003: Persistence"], "technique": ["not defined"], "detection_rule": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0026_5136_windows_directory_service_object_was_modified"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8301831163114331406}}
-{"date_created": "2017-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DHCP Server Loaded the CallOut DLL", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["System"], "provider": ["Microsoft-Windows-DHCP-Server"], "data_needed": ["DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6112986542890966634}}
-{"date_created": "2017-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "MSHTA Suspicious Execution 01", "detection_rule_author": "Diego Perez (@darkquassar)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1379024771305203496}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0001: Initial Access", "TA0008: Lateral Movement"], "technique": ["T1210: Exploitation of Remote Services", "T1190: Exploit Public-Facing Application"], "detection_rule": "Potential RDP exploit CVE-2019-0708", "detection_rule_author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["TermDD"], "data_needed": ["DN_0090_50_terminal_server_security_layer_detected_an_error", "DN_0089_56_terminal_server_security_layer_detected_an_error"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1879626382910063031}}
-{"date_created": "2018-03-20T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0002: Execution"], "technique": ["T1077: Windows Admin Shares", "T1035: Service Execution"], "detection_rule": "smbexec.py Service Installation", "detection_rule_author": "Omer Faruk Celik", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8863127310731081066}}
-{"date_created": "2017-05-08T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DNS Server Error Failed Loading the ServerLevelPluginDLL", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["DNS Server"], "provider": ["Microsoft-Windows-DNS-Server-Service"], "data_needed": ["DN_0043_770_dns_server_plugin_dll_has_been_loaded", "DN_0036_150_dns_server_could_not_load_dll"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8850113067464855875}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1050: New Service"], "detection_rule": "Malicious Service Installations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8551540021650703113}}
-{"date_created": "2017-05-31T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery", "TA0002: Execution"], "technique": ["T1087: Account Discovery", "T1075: Pass the Hash", "T1114: Email Collection", "T1059: Command-Line Interface"], "detection_rule": "Hacktool Ruler", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8146462541116562698}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz Use", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "System", "Application", "Microsoft-Windows-Sysmon/Operational", "Microsoft-Windows-DriverFrameworks-UserMode/Operational", "Microsoft-Windows-NTLM/Operational", "Microsoft-Windows-WMI-Activity/Operational", "Windows PowerShell", "Microsoft-Windows-Windows Defender/Operational", "Microsoft-Windows-PowerShell/Operational", "DNS Server", "Microsoft-Windows-TaskScheduler/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Service Control Manager", "Windows Error Reporting", "Microsoft-Windows-Sysmon", "Microsoft-Windows-DHCP-Server", "Microsoft-Windows-Eventlog", "TermDD", "Microsoft-Windows-DriverFrameworks-UserMode", "Microsoft-Windows-NTLM", "Microsoft-Windows-Kernel-General", "Microsoft-Windows-WMI-Activity", "Microsoft-Windows-Backup", "PowerShell", "Microsoft-Windows-Windows Defender", "Microsoft-Windows-PowerShell", "Microsoft-Windows-DNS-Server-Service", "Application Error", "Microsoft-Windows-TaskScheduler"], "data_needed": ["DN_0064_4698_scheduled_task_was_created", "DN_0005_7045_windows_service_insatalled", "DN_0045_1001_windows_error_reporting", "DN_0026_5136_windows_directory_service_object_was_modified", "DN_0007_3_windows_sysmon_network_connection", "DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls", "DN_0050_1102_audit_log_was_cleared", "DN_0057_4625_account_failed_to_logon", "DN_0042_675_kerberos_preauthentication_failed", "DN_0060_4658_handle_to_an_object_was_closed", "DN_0070_4735_security_enabled_local_group_was_changed", "DN_0009_5_windows_sysmon_process_terminated", "DN_0090_50_terminal_server_security_layer_detected_an_error", "DN_0030_4662_operation_was_performed_on_an_object", "DN_0015_11_windows_sysmon_FileCreate", "DN_0049_1034_dhcp_service_failed_to_load_callout_dlls", "DN_0032_5145_network_share_object_was_accessed_detailed", "DN_0004_4624_windows_account_logon", "DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception", "DN_0010_6_windows_sysmon_driver_loaded", "DN_0001_4688_windows_process_creation", "DN_0077_4769_kerberos_service_ticket_was_requested", "DN_0019_15_windows_sysmon_FileCreateStreamHash", "DN_0078_4771_kerberos_pre_authentication_failed", "DN_0054_2102_pnp_or_power_operation_for_usb_device", "DN_0082_8002_ntlm_server_blocked_audit", "DN_0058_4656_handle_to_an_object_was_requested", "DN_0028_4794_directory_services_restore_mode_admin_password_set", "DN_0083_16_access_history_in_hive_was_cleared", "DN_0012_8_windows_sysmon_CreateRemoteThread", "DN_0081_5861_wmi_activity", "DN_0088_4616_system_time_was_changed", "DN_0068_4728_member_was_added_to_security_enabled_global_group", "DN_0038_1102_the_audit_log_was_cleared", "DN_0039_524_system_catalog_has_been_deleted", "DN_0074_4765_sid_history_was_added_to_an_account", "DN_0023_20_windows_sysmon_WmiEvent", "DN_0080_5859_wmi_activity", "DN_0040_528_user_successfully_logged_on_to_a_computer", "DN_0066_4704_user_right_was_assigned", "DN_0063_4697_service_was_installed_in_the_system", "DN_0072_4755_security_enabled_universal_group_was_changed", "DN_0024_21_windows_sysmon_WmiEvent", "DN_0008_4_windows_sysmon_sysmon_service_state_changed", "DN_0033_5140_network_share_object_was_accessed", "DN_0065_4701_scheduled_task_was_disabled", "DN_0038_400_engine_state_is_changed_from_none_to_available", "DN_0073_4756_member_was_added_to_a_security_enabled_universal_group", "DN_0076_4768_kerberos_authentication_ticket_was_requested", "DN_0051_1121_attack_surface_reduction_blocking_mode_event", "DN_0053_2100_pnp_or_power_operation_for_usb_device", "DN_0013_9_windows_sysmon_RawAccessRead", "DN_0061_4660_object_was_deleted", "DN_0059_4657_registry_value_was_modified", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account", "DN_0014_10_windows_sysmon_ProcessAccess", "DN_0037_4103_windows_powershell_executing_pipeline", "DN_0089_56_terminal_server_security_layer_detected_an_error", "DN_0034_104_log_file_was_cleared", "DN_0027_4738_user_account_was_changed", "DN_0062_4663_attempt_was_made_to_access_an_object", "DN_0043_770_dns_server_plugin_dll_has_been_loaded", "DN_0087_5156_windows_filtering_platform_has_permitted_connection", "DN_0044_1000_application_crashed", "DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception", "DN_0085_22_windows_sysmon_DnsQuery", "DN_0006_2_windows_sysmon_process_changed_a_file_creation_time", "DN_0011_7_windows_sysmon_image_loaded", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0031_7036_service_started_stopped", "DN_0067_4719_system_audit_policy_was_changed", "DN_0022_19_windows_sysmon_WmiEvent", "DN_0029_4661_handle_to_an_object_was_requested", "DN_0035_106_task_scheduler_task_registered", "DN_0052_2003_query_to_load_usb_drivers", "DN_0069_4732_member_was_added_to_security_enabled_local_group", "DN_0036_4104_windows_powershell_script_block", "DN_0003_1_windows_sysmon_process_creation", "DN_0021_18_windows_sysmon_PipeEvent", "DN_0041_529_logon_failure", "DN_0071_4737_security_enabled_global_group_was_changed", "DN_0086_4720_user_account_was_created", "DN_0018_14_windows_sysmon_RegistryEvent", "DN_0020_17_windows_sysmon_PipeEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0036_150_dns_server_could_not_load_dll", "DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed"], "logging_policy": ["LP_0041_windows_audit_other_object_access_events", "LP_0005_windows_sysmon_network_connection", "LP_0004_windows_audit_logon", "LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation", "LP_0101_windows_audit_security_group_management", "LP_0027_windows_audit_directory_service_access", "LP_0008_windows_sysmon_FileCreate", "LP_0029_windows_audit_detailed_file_share", "LP_0001_windows_audit_process_creation", "LP_0106_windows_audit_kerberos_service_ticket_operations", "LP_0038_windows_audit_kerberos_authentication_service", "LP_0044_windows_ntlm_audit", "LP_0026_windows_audit_user_account_management", "LP_0046_windows_audit_security_state_change", "LP_0010_windows_sysmon_WmiEvent", "LP_0105_windows_audit_authorization_policy_change", "LP_0100_windows_audit_security_system_extension", "LP_0030_windows_audit_file_share", "LP_0107_windows_audit_credential_validation", "LP_0007_windows_sysmon_ProcessAccess", "LP_0045_windows_audit_filtering_platform_connection", "LP_0011_windows_sysmon_DnsQuery", "LP_0006_windows_sysmon_image_loaded", "LP_0028_windows_audit_sam", "LP_0003_windows_sysmon_process_creation", "LP_0009_windows_sysmon_PipeEvent", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6089496032590752755}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0009: Collection"], "technique": ["not defined"], "detection_rule": "Suspicious access to sensitive file extensions", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1692350462797666120}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Enabled User Right in AD to Control User Objects", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0066_4704_user_right_was_assigned"], "logging_policy": ["LP_0105_windows_audit_authorization_policy_change"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3870187787379195551}}
-{"date_created": "2017-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DHCP Server Error Failed Loading the CallOut DLL", "detection_rule_author": "Dimitrios Slamaris, @atc_project (fix)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-DHCP-Server"], "data_needed": ["DN_0049_1034_dhcp_service_failed_to_load_callout_dlls", "DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception", "DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8569173217559984345}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1054: Indicator Blocking"], "detection_rule": "Disabling Windows Event Auditing", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0067_4719_system_audit_policy_was_changed"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 322698695552118906}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1050: New Service"], "detection_rule": "Rare Service Installs", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7759882525496315606}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Interactive Logon to Server Systems", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon", "DN_0040_528_user_successfully_logged_on_to_a_computer", "DN_0041_529_logon_failure"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6291802354655429103}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1098: Account Manipulation"], "detection_rule": "Password Change on Directory Service Restore Mode (DSRM) Account", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0028_4794_directory_services_restore_mode_admin_password_set"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -690643006493471896}}
-{"date_created": "2018-03-20T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1212: Exploitation for Credential Access"], "detection_rule": "NetNTLM Downgrade Attack", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0059_4657_registry_value_was_modified", "DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8863179105711778695}}
-{"date_created": "2017-05-09T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1089: Disabling Security Tools", "T1211: Exploitation for Defense Evasion"], "detection_rule": "Microsoft Malware Protection Engine Crash", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8905802748841878760}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "WCE wceaux.dll Access", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0060_4658_handle_to_an_object_was_closed", "DN_0058_4656_handle_to_an_object_was_requested", "DN_0061_4660_object_was_deleted", "DN_0062_4663_attempt_was_made_to_access_an_object"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2424566836156566291}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1077: Windows Admin Shares"], "detection_rule": "Suspicious PsExec execution", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7694048135404494314}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1107: File Deletion"], "detection_rule": "Backup Catalog Deleted", "detection_rule_author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3086825697012239895}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1212: Exploitation for Credential Access"], "detection_rule": "Kerberos Manipulation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0042_675_kerberos_preauthentication_failed", "DN_0077_4769_kerberos_service_ticket_was_requested", "DN_0078_4771_kerberos_pre_authentication_failed", "DN_0076_4768_kerberos_authentication_ticket_was_requested"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0106_windows_audit_kerberos_service_ticket_operations", "LP_0038_windows_audit_kerberos_authentication_service"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 5591786375953825616}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1089: Disabling Security Tools"], "detection_rule": "Weak Encryption Enabled and Kerberoast", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0027_4738_user_account_was_changed"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -176769817328139654}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1212: Exploitation for Credential Access"], "detection_rule": "Possible Remote Password Change Through SAMR", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed", "DN_0027_4738_user_account_was_changed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share", "LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -233688333017948023}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1077: Windows Admin Shares"], "detection_rule": "First time seen remote named pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7001964761599056509}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0001: Initial Access"], "technique": ["T1200: Hardware Additions"], "detection_rule": "USB Device Plugged", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-DriverFrameworks-UserMode/Operational"], "provider": ["Microsoft-Windows-DriverFrameworks-UserMode"], "data_needed": ["DN_0054_2102_pnp_or_power_operation_for_usb_device", "DN_0053_2100_pnp_or_power_operation_for_usb_device", "DN_0052_2003_query_to_load_usb_drivers"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3529642997005809862}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Possible Impacket SecretDump remote activity", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7279272839753483916}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "Pass the Hash Activity", "detection_rule_author": "Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 59251906150055697}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1077: Windows Admin Shares"], "detection_rule": "Access to ADMIN$ Share", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0033_5140_network_share_object_was_accessed"], "logging_policy": ["LP_0030_windows_audit_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4552386948581348297}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "User Added to Local Administrators", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0069_4732_member_was_added_to_security_enabled_local_group"], "logging_policy": ["LP_0101_windows_audit_security_group_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2711156463063892094}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Password Dumper Activity on LSASS", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested"], "logging_policy": ["LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0104_windows_audit_removable_storage", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2157221026116594957}}
-{"date_created": "2019-02-16T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0011: Command and Control"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "RDP over Reverse SSH Tunnel WFP", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0087_5156_windows_filtering_platform_has_permitted_connection"], "logging_policy": ["LP_0045_windows_audit_filtering_platform_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8299132520254393274}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0003: Persistence"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Remote Task Creation via ATSVC named pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4095305347081205865}}
-{"date_created": "2019-06-02T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1210: Exploitation of Remote Services"], "detection_rule": "Scanner PoC for CVE-2019-0708 RDP RCE vuln", "detection_rule_author": "Florian Roth (rule), Adam Bradbury (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2780283806434687229}}
+{"index": {"_id": 6096792181715750701}}
 {"date_created": "2018-08-26T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "LSASS Access Detected via Attack Surface Reduction", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -416831331560060176}}
+{"index": {"_id": 166595594248806323}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1212: Exploitation for Credential Access"], "detection_rule": "Possible Remote Password Change Through SAMR", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed", "DN_0027_4738_user_account_was_changed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share", "LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6156678518555481647}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1077: Windows Admin Shares"], "detection_rule": "First time seen remote named pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4661942906210685120}}
+{"date_created": "2017-05-31T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery", "TA0002: Execution"], "technique": ["T1087: Account Discovery", "T1075: Pass the Hash", "T1114: Email Collection", "T1059: Command-Line Interface"], "detection_rule": "Hacktool Ruler", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4250045393154896440}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Security Eventlog Cleared", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Eventlog"], "data_needed": ["DN_0038_1102_the_audit_log_was_cleared", "DN_0050_1102_audit_log_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5242374927174919359}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Interactive Logon to Server Systems", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0040_528_user_successfully_logged_on_to_a_computer", "DN_0004_4624_windows_account_logon", "DN_0041_529_logon_failure"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7559109527111756024}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1107: File Deletion", "T1066: Indicator Removal from Tools"], "detection_rule": "Secure Deletion with SDelete", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0062_4663_attempt_was_made_to_access_an_object", "DN_0060_4658_handle_to_an_object_was_closed", "DN_0058_4656_handle_to_an_object_was_requested"], "logging_policy": ["LP_0104_windows_audit_removable_storage", "LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8712177953500088007}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Malicious Service Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System", "Security"], "provider": ["Microsoft-Windows-Kernel-General", "Microsoft-Windows-Security-Auditing", "Service Control Manager"], "data_needed": ["DN_0083_16_access_history_in_hive_was_cleared", "DN_0063_4697_service_was_installed_in_the_system", "DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined", "LP_0100_windows_audit_security_system_extension"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6233757016043964085}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0003: Persistence"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Remote Task Creation via ATSVC named pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8494747963045550166}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Rare Schtasks Creations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0064_4698_scheduled_task_was_created"], "logging_policy": ["LP_0041_windows_audit_other_object_access_events"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3575548131896078718}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Password Dumper Activity on LSASS", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0058_4656_handle_to_an_object_was_requested"], "logging_policy": ["LP_0104_windows_audit_removable_storage", "LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6104119342815091046}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0001: Initial Access", "TA0008: Lateral Movement"], "technique": ["T1210: Exploitation of Remote Services", "T1190: Exploit Public-Facing Application"], "detection_rule": "Potential RDP exploit CVE-2019-0708", "detection_rule_author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["TermDD"], "data_needed": ["DN_0090_50_terminal_server_security_layer_detected_an_error", "DN_0089_56_terminal_server_security_layer_detected_an_error"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3558234111757901855}}
+{"date_created": "2018-02-12T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "Successful Overpass the Hash Attempt", "detection_rule_author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5473745839822457483}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1050: New Service"], "detection_rule": "Rare Service Installs", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 489908988972296285}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1136: Create Account"], "detection_rule": "Detects local user creation", "detection_rule_author": "Patrick Bareiss", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0086_4720_user_account_was_created"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6092897066353116899}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Enabled User Right in AD to Control User Objects", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0066_4704_user_right_was_assigned"], "logging_policy": ["LP_0105_windows_audit_authorization_policy_change"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6165713938388626824}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "Pass the Hash Activity", "detection_rule_author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "production", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2405435089237018097}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Possible Impacket SecretDump remote activity", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8417680585719995372}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0009: Collection"], "technique": ["not defined"], "detection_rule": "Suspicious access to sensitive file extensions", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 398130941357113927}}
+{"date_created": "2019-02-05T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1099: Timestomp"], "detection_rule": "Unauthorized System Time Modification", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0088_4616_system_time_was_changed"], "logging_policy": ["LP_0046_windows_audit_security_state_change"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6450228553983545451}}
+{"date_created": "2019-06-02T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1210: Exploitation of Remote Services"], "detection_rule": "Scanner PoC for CVE-2019-0708 RDP RCE vuln", "detection_rule_author": "Florian Roth (rule), Adam Bradbury (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1598370580065279685}}
+{"date_created": "2018-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz DC Sync", "detection_rule_author": "Benjamin Delpy, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0030_4662_operation_was_performed_on_an_object"], "logging_policy": ["LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1499144845898522631}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0008: Lateral Movement"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Persistence and Execution at scale via GPO scheduled task", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7869396629597505120}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1098: Account Manipulation"], "detection_rule": "Password Change on Directory Service Restore Mode (DSRM) Account", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0028_4794_directory_services_restore_mode_admin_password_set"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8381155899190219947}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Relevant Anti-Virus Event", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6195765535567281185}}
+{"date_created": "2017-01-10T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz Use", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3622370503872423444}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0003: Persistence"], "technique": ["not defined"], "detection_rule": "Remote Service Activity Detected via SVCCTL named pipe", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8905389352512911182}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1054: Indicator Blocking"], "detection_rule": "Disabling Windows Event Auditing", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0067_4719_system_audit_policy_was_changed"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4686506461520682573}}
+{"date_created": "2018-06-08T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "NTLM Logon", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-NTLM/Operational"], "provider": ["Microsoft-Windows-NTLM"], "data_needed": ["DN_0082_8002_ntlm_server_blocked_audit"], "logging_policy": ["LP_0044_windows_ntlm_audit"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8997138423964831999}}
+{"date_created": "2017-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DHCP Server Error Failed Loading the CallOut DLL", "detection_rule_author": "Dimitrios Slamaris, @atc_project (fix)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-DHCP-Server"], "data_needed": ["DN_0049_1034_dhcp_service_failed_to_load_callout_dlls", "DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception", "DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1519228775514107625}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "User Added to Local Administrators", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0069_4732_member_was_added_to_security_enabled_local_group"], "logging_policy": ["LP_0101_windows_audit_security_group_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4113594757059470203}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1077: Windows Admin Shares"], "detection_rule": "Suspicious PsExec execution", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0032_5145_network_share_object_was_accessed_detailed"], "logging_policy": ["LP_0029_windows_audit_detailed_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2598923356024546419}}
+{"date_created": "2019-04-03T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0003: Persistence"], "technique": ["not defined"], "detection_rule": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0026_5136_windows_directory_service_object_was_modified"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7189576099124746871}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "SAM Dump to AppData", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Kernel-General"], "data_needed": ["DN_0083_16_access_history_in_hive_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3520194810560418406}}
+{"date_created": "2019-01-28T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "RDP Login from localhost", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7545395727169398843}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1212: Exploitation for Credential Access"], "detection_rule": "Kerberos Manipulation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0077_4769_kerberos_service_ticket_was_requested", "DN_0076_4768_kerberos_authentication_ticket_was_requested", "DN_0078_4771_kerberos_pre_authentication_failed", "DN_0042_675_kerberos_preauthentication_failed"], "logging_policy": ["LP_0106_windows_audit_kerberos_service_ticket_operations", "LP_0038_windows_audit_kerberos_authentication_service", "LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7485677502787359065}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1208: Kerberoasting"], "detection_rule": "Suspicious Kerberos RC4 Ticket Encryption", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0077_4769_kerberos_service_ticket_was_requested"], "logging_policy": ["LP_0106_windows_audit_kerberos_service_ticket_operations"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8072493127677772889}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1178: SID-History Injection"], "detection_rule": "Addition of SID History to Active Directory Object", "detection_rule_author": "Thomas Patzke, @atc_project (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0074_4765_sid_history_was_added_to_an_account", "DN_0027_4738_user_account_was_changed", "DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6377130658336157304}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1050: New Service"], "detection_rule": "Malicious Service Installations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2322540792599500924}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Admin User Remote Logon", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1123279355965411360}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Account Tampering - Suspicious Failed Logon Reasons", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2845396571024673086}}
+{"date_created": "2017-05-08T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DNS Server Error Failed Loading the ServerLevelPluginDLL", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["DNS Server"], "provider": ["Microsoft-Windows-DNS-Server-Service"], "data_needed": ["DN_0036_150_dns_server_could_not_load_dll", "DN_0043_770_dns_server_plugin_dll_has_been_loaded"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7061585018609063425}}
+{"date_created": "2019-02-16T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0011: Command and Control"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "RDP over Reverse SSH Tunnel WFP", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0087_5156_windows_filtering_platform_has_permitted_connection"], "logging_policy": ["LP_0045_windows_audit_filtering_platform_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2042164922635605801}}
+{"date_created": "2018-03-20T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0002: Execution"], "technique": ["T1077: Windows Admin Shares", "T1035: Service Execution"], "detection_rule": "smbexec.py Service Installation", "detection_rule_author": "Omer Faruk Celik", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Service Control Manager"], "data_needed": ["DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4376005850543143729}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0003: Persistence"], "technique": ["T1098: Account Manipulation"], "detection_rule": "Active Directory User Backdoors", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0027_4738_user_account_was_changed", "DN_0026_5136_windows_directory_service_object_was_modified"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7446548823300519820}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Eventlog Cleared", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["System"], "provider": ["Microsoft-Windows-Eventlog"], "data_needed": ["DN_0034_104_log_file_was_cleared"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2407348563791271447}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1089: Disabling Security Tools"], "detection_rule": "Weak Encryption Enabled and Kerberoast", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0027_4738_user_account_was_changed"], "logging_policy": ["LP_0026_windows_audit_user_account_management"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -867882039584925532}}
+{"date_created": "2018-03-20T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1212: Exploitation for Credential Access"], "detection_rule": "NetNTLM Downgrade Attack", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0059_4657_registry_value_was_modified"], "logging_policy": ["not defined", "LP_0103_windows_audit_registry"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4592133323123510142}}
+{"date_created": "2017-05-09T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1089: Disabling Security Tools", "T1211: Exploitation for Defense Evasion"], "detection_rule": "Microsoft Malware Protection Engine Crash", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7867581065340581209}}
+{"date_created": "2019-11-15T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0006: Credential Access"], "technique": ["T1171: LLMNR/NBT-NS Poisoning and Relay"], "detection_rule": "RottenPotato Like Attack Pattern", "detection_rule_author": "@SBousseaden, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2101207260920429670}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1077: Windows Admin Shares"], "detection_rule": "Access to ADMIN$ Share", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0033_5140_network_share_object_was_accessed"], "logging_policy": ["LP_0030_windows_audit_file_share"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3600378141627130256}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery", "T1069: Permission Groups Discovery"], "detection_rule": "Reconnaissance Activity", "detection_rule_author": "Florian Roth (rule), Jack Croock (method)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0029_4661_handle_to_an_object_was_requested"], "logging_policy": ["LP_0028_windows_audit_sam", "LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7966399237907317782}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1107: File Deletion"], "detection_rule": "Backup Catalog Deleted", "detection_rule_author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2644497218235702780}}
+{"date_created": "2017-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DHCP Server Loaded the CallOut DLL", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["System"], "provider": ["Microsoft-Windows-DHCP-Server"], "data_needed": ["DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4078823071529384297}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery"], "detection_rule": "AD Privileged Users or Groups Reconnaissance", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0029_4661_handle_to_an_object_was_requested"], "logging_policy": ["LP_0028_windows_audit_sam", "LP_0027_windows_audit_directory_service_access"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3977047856628434520}}
 {"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1078: Valid Accounts"], "detection_rule": "Multiple Failed Logins with Different Accounts from Single Source System", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account", "DN_0041_529_logon_failure"], "logging_policy": ["LP_0004_windows_audit_logon", "LP_0107_windows_audit_credential_validation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3741847227814674154}}
-{"date_created": "2019-08-06T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Ryuk Ransomware", "detection_rule_author": "Vasiliy Burov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2806178246905378899}}
-{"date_created": "2018-09-09T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Antivirus Web Shell Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 532581194029036423}}
-{"date_created": "2018-09-09T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Antivirus Relevant File Paths Alerts", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2588877949704909779}}
+{"index": {"_id": 1994862702942990321}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "WCE wceaux.dll Access", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0062_4663_attempt_was_made_to_access_an_object", "DN_0060_4658_handle_to_an_object_was_closed", "DN_0058_4656_handle_to_an_object_was_requested", "DN_0061_4660_object_was_deleted"], "logging_policy": ["LP_0104_windows_audit_removable_storage", "LP_0102_windows_audit_file_system", "LP_0039_windows_audit_kernel_object", "LP_0103_windows_audit_registry", "LP_0042_windows_audit_handle_manipulation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7061759375109393553}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "MSHTA Suspicious Execution 01", "detection_rule_author": "Diego Perez (@darkquassar)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6165713938388626824}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1075: Pass the Hash"], "detection_rule": "Pass the Hash Activity", "detection_rule_author": "Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0057_4625_account_failed_to_logon", "DN_0004_4624_windows_account_logon"], "logging_policy": ["LP_0004_windows_audit_logon"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5803451439538318453}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0001: Initial Access"], "technique": ["T1200: Hardware Additions"], "detection_rule": "USB Device Plugged", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-DriverFrameworks-UserMode/Operational"], "provider": ["Microsoft-Windows-DriverFrameworks-UserMode"], "data_needed": ["DN_0053_2100_pnp_or_power_operation_for_usb_device", "DN_0052_2003_query_to_load_usb_drivers", "DN_0054_2102_pnp_or_power_operation_for_usb_device"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5399415006588150344}}
 {"date_created": "2018-09-09T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0011: Command and Control"], "technique": ["T1203: Exploitation for Client Execution", "T1219: Remote Access Tools"], "detection_rule": "Antivirus Exploitation Framework Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8015320731937827901}}
+{"index": {"_id": -5200427436265212545}}
 {"date_created": "2018-09-09T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Antivirus Password Dumper Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3743845658385994939}}
+{"index": {"_id": 5000063535324142988}}
+{"date_created": "2019-08-06T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Ryuk Ransomware", "detection_rule_author": "Vasiliy Burov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3605674350361456443}}
+{"date_created": "2018-09-09T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Antivirus Web Shell Detection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8265717040337208619}}
 {"date_created": "2019-02-13T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1112: Modify Registry"], "detection_rule": "Ursnif", "detection_rule_author": "megan201296", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8103587950108231926}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1035: Service Execution"], "detection_rule": "PsExec Tool Execution", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0005_7045_windows_service_insatalled", "DN_0031_7036_service_started_stopped", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 5634710628021726308}}
+{"index": {"_id": -5989680260669866576}}
+{"date_created": "2018-09-09T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Antivirus Relevant File Paths Alerts", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["AV Alerts"], "platform": ["antivirus"], "type": ["None"], "channel": ["None"], "provider": ["None"], "data_needed": ["DN_0084_av_alert"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -868988385264833747}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "WMI Persistence", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-WMI-Activity/Operational"], "provider": ["Microsoft-Windows-WMI-Activity"], "data_needed": ["DN_0080_5859_wmi_activity", "DN_0081_5861_wmi_activity"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2959189553679674624}}
 {"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Rare Scheduled Task Creations", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-TaskScheduler/Operational"], "provider": ["Microsoft-Windows-TaskScheduler"], "data_needed": ["DN_0035_106_task_scheduler_task_registered"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1676894898974270862}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "WMI Persistence", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-WMI-Activity/Operational"], "provider": ["Microsoft-Windows-WMI-Activity"], "data_needed": ["DN_0081_5861_wmi_activity", "DN_0080_5859_wmi_activity"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8317867145482656386}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Downgrade Attack", "detection_rule_author": "Florian Roth (rule), Lee Holmes (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Windows PowerShell"], "provider": ["PowerShell"], "data_needed": ["DN_0038_400_engine_state_is_changed_from_none_to_available"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8718253249964930695}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Download", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3791447881840755291}}
-{"date_created": "2019-02-11T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Keywords", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1225808659133385260}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious PowerShell Commandlets", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7961409657609048157}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1096: NTFS File Attributes"], "detection_rule": "NTFS Alternate Data Stream", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6605890064161708795}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0006: Credential Access"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Credential Prompt", "detection_rule_author": "John Lambert (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5162731236672337927}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell called from an Executable Version Mismatch", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Windows PowerShell"], "provider": ["PowerShell"], "data_needed": ["DN_0038_400_engine_state_is_changed_from_none_to_available"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8498504063181589836}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Invocations - Generic", "detection_rule_author": "Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2103515796661128378}}
-{"date_created": "2018-11-17T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0002: Execution"], "technique": ["T1055: Process Injection", "T1086: PowerShell"], "detection_rule": "PowerShell ShellCode", "detection_rule_author": "David Ledbetter (shellcode), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -242588484178361404}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious PowerShell Keywords", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2489857474993990961}}
+{"index": {"_id": 6768044760953032187}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1035: Service Execution"], "detection_rule": "PsExec Tool Execution", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["System", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Service Control Manager", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0031_7036_service_started_stopped", "DN_0003_1_windows_sysmon_process_creation", "DN_0005_7045_windows_service_insatalled"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1955867509339515344}}
 {"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell PSAttack", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1168439471909707134}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Invocations - Specific", "detection_rule_author": "Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0037_4103_windows_powershell_executing_pipeline", "DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6779926283127448459}}
-{"date_created": "2019-03-22T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "LockerGoga Ransomware", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1712524077349866839}}
-{"date_created": "2018-03-07T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "WMI Persistence - Script Event Consumer", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1009673131625091742}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "WSF/JSE/JS/VBA/VBE File Execution", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1376385515541387869}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Invocation based on Parent Process", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1384454105002712598}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "Suspicious WMI execution", "detection_rule_author": "Michael Haag, Florian Roth, juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7224219303623403835}}
-{"date_created": "2018-03-18T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Taskmgr as LOCAL_SYSTEM", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1933683332790543419}}
-{"date_created": "2019-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1068: Exploitation for Privilege Escalation"], "detection_rule": "Windows Kernel and 3rd-party drivers exploits. Token stealing", "detection_rule_author": "Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["EN_0001_cache_sysmon_event_id_1_info", "EN_0002_enrich_sysmon_event_id_1_with_parent_info"], "enrichment_requirements": ["not defined", ["EN_0001_cache_sysmon_event_id_1_info"]]}
-{"index": {"_id": 2491810091855758868}}
-{"date_created": "2018-08-17T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1086: PowerShell"], "detection_rule": "Powershell AMSI Bypass via .NET Reflection", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7057841049137977712}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0007: Discovery"], "technique": ["not defined"], "detection_rule": "Net.exe Execution", "detection_rule_author": "Michael Haag, Mark Woan (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2895235800483675835}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1127: Trusted Developer Utilities"], "detection_rule": "Microsoft Workflow Compiler", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7696684276606172554}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0006: Credential Access", "TA0005: Defense Evasion"], "technique": ["T1085: Rundll32", "T1070: Indicator Removal on Host", "T1003: Credential Dumping"], "detection_rule": "NotPetya Ransomware Activity", "detection_rule_author": "Florian Roth, Tom Ueltschi", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1746596971535411751}}
-{"date_created": "2018-03-13T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1035: Service Execution"], "detection_rule": "PsExec Service Start", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4579767452800898464}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Quick Execution of a Series of Suspicious Commands", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1468705987301650249}}
-{"date_created": "2019-02-06T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "Suspicious GUP Usage", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3366567891165122442}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3486472197661735316}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1138: Application Shimming"], "detection_rule": "Possible Shim Database Persistence via sdbinst.exe", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7815435069884509124}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Activity Related to NTDS.dit Domain Hash Retrieval", "detection_rule_author": "Florian Roth, Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7586903304298378415}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1175: Distributed Component Object Model"], "detection_rule": "MMC Spawning Windows Shell", "detection_rule_author": "Karneades, Swisscom CSIRT", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3407509323763459110}}
-{"date_created": "2017-08-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Svchost Process", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1685626038057847591}}
-{"date_created": "2019-01-29T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0011: Command and Control"], "technique": ["T1090: Connection Proxy"], "detection_rule": "Netsh", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3538485250013086474}}
-{"date_created": "2019-09-06T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1015: Accessibility Features"], "detection_rule": "Suspicious Debugger Registration Cmdline", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7796348357816748162}}
-{"date_created": "2018-09-03T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious Encoded PowerShell Command Line", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7119812662880521964}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious Base64 encoded PowerShell Keywords in command lines", "detection_rule_author": "John Lambert (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4663509674961711371}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "WannaCry Ransomware", "detection_rule_author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6121622250734681255}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Download from URL", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -453294032826373549}}
-{"date_created": "2018-11-14T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1208: Kerberoasting"], "detection_rule": "Possible SPN Enumeration", "detection_rule_author": "Markus Neis, keepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 403469031337418757}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1046: Network Service Scanning"], "detection_rule": "Java Running with Remote Debugging", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4147414818783916868}}
-{"date_created": "2019-01-10T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Dridex Process Pattern", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6947287082235007913}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "technique": ["T1158: Hidden Files and Directories"], "detection_rule": "Hiding files with attrib.exe", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -609106828316238694}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1118: InstallUtil", "T1121: Regsvcs/Regasm", "T1127: Trusted Developer Utilities", "T1170: Mshta"], "detection_rule": "Possible Applocker Bypass", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2884521320068098163}}
-{"date_created": "2019-06-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Renamed Binary", "detection_rule_author": "Matthew Green - @mgreen27", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7854459979460342881}}
-{"date_created": "2018-02-09T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["not defined"], "detection_rule": "MsiExec Web Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5868386318487138878}}
-{"date_created": "2019-04-02T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "detection_rule": "MS Office Product Spawning Exe in User Dir", "detection_rule_author": "Jason Lynch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6881867956054512672}}
-{"date_created": "2018-06-22T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["not defined"], "detection_rule": "Sysprep on AppData Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4077372183224096465}}
-{"date_created": "2019-06-17T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Userinit Child Process", "detection_rule_author": "Florian Roth (rule), Samir Bousseaden (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1547178517327405390}}
-{"date_created": "2019-02-11T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Parent of Csc.exe", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7828789572925685472}}
-{"date_created": "2019-04-20T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Empire PowerShell Launch Parameters", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6434482042753556558}}
-{"date_created": "2018-12-27T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "detection_rule": "Suspicious Execution from Outlook", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7086542850357442777}}
-{"date_created": "2019-08-24T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1086: PowerShell", "T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "Encoded FromBase64String", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3411849960979769731}}
-{"date_created": "2019-04-03T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1064: Scripting"], "detection_rule": "WMI Spawning Windows PowerShell", "detection_rule_author": "Markus Neis / @Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3921239620890527628}}
-{"date_created": "2017-04-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading", "T1085: Rundll32"], "detection_rule": "Suspicious Control Panel DLL Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3176177725830779796}}
-{"date_created": "2018-04-09T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Suspicious SYSVOL Domain Group Policy Access", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 9122538507284102295}}
-{"date_created": "2018-02-22T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Exploit for CVE-2015-1641", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -9177806814124895264}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "technique": ["T1197: BITS Jobs"], "detection_rule": "Bitsadmin Download", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3577079004249809170}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER2", "TESTCUSTOMER"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Cmdkey Cached Credentials Recon", "detection_rule_author": "jmallette", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6439930073626681930}}
-{"date_created": "2019-05-22T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Terminal Service Process Spawn", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7275377944277201583}}
-{"date_created": "2019-09-02T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Process dump via comsvcs DLL", "detection_rule_author": "Modexp (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -944591474383753658}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Parameter Substring", "detection_rule_author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6882445717014682689}}
-{"date_created": "2018-08-13T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1033: System Owner/User Discovery"], "detection_rule": "Whoami Execution", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -152757209568761339}}
-{"date_created": "2019-02-23T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Windows Processes Suspicious Parent Directory", "detection_rule_author": "vburov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3573945509306356238}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Process Start Locations", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2504539909668011971}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Execution in Webserver Root Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6953989488126275738}}
-{"date_created": "2019-01-09T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Script Run in AppData", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7198750356189891412}}
-{"date_created": "2018-08-22T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery", "T1082: System Information Discovery"], "detection_rule": "Reconnaissance Activity with Net Command", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3322089657528943749}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Scheduled Task Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 5410599763513333188}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Webshell Detection With Command Line Keywords", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8621227810504165261}}
-{"date_created": "2019-01-29T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0011: Command and Control"], "technique": ["T1090: Connection Proxy"], "detection_rule": "Netsh Port Forwarding", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7085290996820301850}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "WScript or CScript Dropper", "detection_rule_author": "Margaritis Dimitrios (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6841896587346027061}}
-{"date_created": "2019-02-24T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Certutil Encode", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8463771525698101971}}
-{"date_created": "2017-09-15T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1203: Exploitation for Client Execution"], "detection_rule": "Exploit for CVE-2017-8759", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2805885201088312023}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["not defined"], "detection_rule": "Squirrel Lolbin", "detection_rule_author": "Karneades / Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 9098073926434680341}}
-{"date_created": "2018-04-06T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "detection_rule": "Microsoft Office Product Spawning Windows Shell", "detection_rule_author": "Michael Haag, Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8044704305476087500}}
-{"date_created": "2018-11-17T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "PowerShell Base64 Encoded Shellcode", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7574871090761385004}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1117: Regsvr32"], "detection_rule": "Regsvr32 Anomaly", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7670225864353358303}}
-{"date_created": "2019-06-01T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Ransomware Deletes Volume Shadow Copies", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4680626849571380983}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Shells Spawned by Web Servers", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1378129056518068706}}
-{"date_created": "2019-02-09T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Calculator Usage", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6659092269056329393}}
-{"date_created": "2019-08-30T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1088: Bypass User Account Control"], "detection_rule": "Empire PowerShell UAC Bypass", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2247317832527578393}}
-{"date_created": "2018-10-30T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0006: Credential Access"], "technique": ["T1036: Masquerading", "T1003: Credential Dumping"], "detection_rule": "Suspicious Use of Procdump", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 387811200033194498}}
-{"date_created": "2017-11-27T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "System File Execution Location Anomaly", "detection_rule_author": "Florian Roth, Patrick Bareiss", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1335716787136016523}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Execution in Non-Executable Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6569595414665214185}}
-{"date_created": "2018-12-19T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Rubeus Hack Tool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7957964208860587372}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "IIS Native-Code Module Command Line Installation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 5766846976819954669}}
-{"date_created": "2017-10-14T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Executables Started in Suspicious Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1337547463396055165}}
-{"date_created": "2017-11-23T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1211: Exploitation for Defense Evasion"], "detection_rule": "Droppers exploiting CVE-2017-11882", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5135515156938505740}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information", "T1105: Remote File Copy"], "detection_rule": "Suspicious Certutil Command", "detection_rule_author": "Florian Roth, juju4, keepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8062165298100484016}}
-{"date_created": "2019-03-22T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Disable of ETW Trace", "detection_rule_author": "@neu5ron, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5543247405448792177}}
-{"date_created": "2018-09-05T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious XOR Encoded PowerShell Command Line", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5060146473140268786}}
-{"date_created": "2019-04-17T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Execution of Renamed PaExec", "detection_rule_author": "Jason Lynch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1760660972017594138}}
-{"date_created": "2018-12-12T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["T1055: Process Injection", "T1218: Signed Binary Proxy Execution"], "detection_rule": "MavInject Process Injection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2663430798691501413}}
-{"date_created": "2019-08-24T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1500: Compile After Delivery"], "detection_rule": "Suspicious Csc.exe Source File Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3108716201024103427}}
-{"date_created": "2019-01-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Program Location Process Starts", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4423970221864362383}}
-{"date_created": "2018-03-17T00:00:00", "customer": ["None"], "tactic": ["TA0011: Command and Control"], "technique": ["T1219: Remote Access Tools"], "detection_rule": "Suspicious TSCON Start", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7787158627664221498}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER2", "TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation", "TA0002: Execution"], "technique": ["T1088: Bypass User Account Control", "T1191: CMSTP"], "detection_rule": "CMSTP UAC Bypass via COM Object Access", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -9175273190143482622}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7993668595316072168}}
+{"index": {"_id": 9126480692845756906}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Invocations - Generic", "detection_rule_author": "Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block", "DN_0037_4103_windows_powershell_executing_pipeline"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -805530079152282142}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious PowerShell Commandlets", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4918862106499503973}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell called from an Executable Version Mismatch", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Windows PowerShell"], "provider": ["PowerShell"], "data_needed": ["DN_0038_400_engine_state_is_changed_from_none_to_available"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3219277942137580737}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1096: NTFS File Attributes"], "detection_rule": "NTFS Alternate Data Stream", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block", "DN_0037_4103_windows_powershell_executing_pipeline"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2746834363250391094}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious PowerShell Keywords", "detection_rule_author": "Sean Metcalf (source), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4957650029498908258}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1004: Winlogon Helper DLL"], "detection_rule": "Winlogon Helper DLL", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5488870806701948109}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Invocations - Specific", "detection_rule_author": "Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 156895993018450837}}
+{"date_created": "2018-11-17T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0002: Execution"], "technique": ["T1055: Process Injection", "T1086: PowerShell"], "detection_rule": "PowerShell ShellCode", "detection_rule_author": "David Ledbetter (shellcode), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2100489771099522093}}
+{"date_created": "2019-02-11T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Keywords", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3073618251165843996}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Download", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5421755884826555335}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Downgrade Attack", "detection_rule_author": "Florian Roth (rule), Lee Holmes (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Windows PowerShell"], "provider": ["PowerShell"], "data_needed": ["DN_0038_400_engine_state_is_changed_from_none_to_available"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6757385959070291678}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0006: Credential Access"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Credential Prompt", "detection_rule_author": "John Lambert (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 931006313443131788}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "technique": ["T1002: Data Compressed"], "detection_rule": "Data Compressed", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-PowerShell/Operational"], "provider": ["Microsoft-Windows-PowerShell"], "data_needed": ["DN_0036_4104_windows_powershell_script_block"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3703943694944573098}}
+{"date_created": "2019-10-12T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "psr.exe capture screenshots", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8547135848487322829}}
+{"date_created": "2019-10-01T00:00:00", "customer": ["None"], "tactic": ["TA0001: Initial Access"], "technique": ["T1193: Spearphishing Attachment"], "detection_rule": "Execution in Outlook Temp Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6593232542205516697}}
+{"date_created": "2018-02-09T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["not defined"], "detection_rule": "MsiExec Web Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7537102939986270469}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Download from URL", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4756571242977489631}}
+{"date_created": "2017-01-01T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Webshell Detection With Command Line Keywords", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7012952349290595015}}
+{"date_created": "2018-12-12T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["T1055: Process Injection", "T1218: Signed Binary Proxy Execution"], "detection_rule": "MavInject Process Injection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1682971197824633309}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1170: Mshta"], "detection_rule": "MSHTA Spawning Windows Shell", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4273584353603941615}}
 {"date_created": "2019-08-23T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell", "T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "Encoded IEX", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7235396960392059054}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "Suspicious Commandline Escape", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3642857258805894306}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER2", "TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "SquiblyTwo", "detection_rule_author": "Markus Neis / Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 5252234752336138202}}
-{"date_created": "2018-02-22T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Exploit for CVE-2017-0261", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 6870802080847002143}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery"], "detection_rule": "Suspicious Reconnaissance Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4916335913013072395}}
-{"date_created": "2019-02-07T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "technique": ["T1070: Indicator Removal on Host", "T1067: Bootkit"], "detection_rule": "Possible Ransomware or unauthorized MBR modifications", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1983360425743833543}}
-{"date_created": "2018-03-23T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information", "T1027: Obfuscated Files or Information"], "detection_rule": "Ping Hex IP", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1719124723736792992}}
-{"date_created": "2018-03-13T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Taskmgr as Parent", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 7654033141908447899}}
-{"date_created": "2018-04-06T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1064: Scripting"], "detection_rule": "Windows Shell Spawning Suspicious Program", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -509854512161114895}}
-{"date_created": "2017-06-12T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "Executable used by PlugX in Uncommon Location - Sysmon Version", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1925450150458221021}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1170: Mshta"], "detection_rule": "MSHTA Spawning Windows Shell", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5955959738045265604}}
-{"date_created": "2018-06-07T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1170: Mshta"], "detection_rule": "MSHTA spwaned by SVCHOST as seen in LethalHTA", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8018540397745840660}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1059: Command-Line Interface"], "detection_rule": "Command Line Execution with suspicious URL and AppData Strings", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1538118273678277403}}
-{"date_created": "2017-11-10T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "Adwind RAT / JRAT", "detection_rule_author": "Florian Roth, Tom Ueltschi", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 742959065165024681}}
-{"date_created": "2018-03-17T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0004: Privilege Escalation"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "Suspicious RDP Redirect Using TSCON", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3442974923301128390}}
-{"date_created": "2019-06-26T00:00:00", "customer": ["None"], "tactic": ["TA0001: Initial Access"], "technique": ["T1193: Spearphishing Attachment"], "detection_rule": "Suspicious Double Extension", "detection_rule_author": "Florian Roth (rule), @blu3_team (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0001_4688_windows_process_creation", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2899919098844178781}}
+{"index": {"_id": -2162826610141165049}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Process Start Locations", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2497216366344683227}}
+{"date_created": "2019-05-22T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Terminal Service Process Spawn", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4463046430169827927}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Execution in Webserver Root Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -528089076330339173}}
+{"date_created": "2019-10-25T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe", "detection_rule_author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7615435517490833020}}
+{"date_created": "2019-10-26T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "Application Whitelisting bypass via dnx.exe", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3270939155238864201}}
+{"date_created": "2019-10-23T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Sysmon driver unload", "detection_rule_author": "Kirill Kiryanov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8979370677606090146}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1012: Query Registry", "T1007: System Service Discovery"], "detection_rule": "Query Registry", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2524346253416882498}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information", "T1105: Remote File Copy"], "detection_rule": "Suspicious Certutil Command", "detection_rule_author": "Florian Roth, juju4, keepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4974890419560138953}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1046: Network Service Scanning"], "detection_rule": "Java Running with Remote Debugging", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5070267957703415591}}
+{"date_created": "2019-10-26T00:00:00", "customer": ["None"], "tactic": ["TA0011: Command and Control"], "technique": ["T1105: Remote File Copy"], "detection_rule": "Malicious payload download via Office binaries", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7813934263533247226}}
+{"date_created": "2018-10-30T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0006: Credential Access"], "technique": ["T1036: Masquerading", "T1003: Credential Dumping"], "detection_rule": "Suspicious Use of Procdump", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8360859261226422340}}
+{"date_created": "2019-10-26T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "Application whitelisting bypass via bginfo", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3940312430881285900}}
+{"date_created": "2019-09-06T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1015: Accessibility Features"], "detection_rule": "Suspicious Debugger Registration Cmdline", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5028482063455598502}}
+{"date_created": "2019-10-11T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Backdoor Exchange Transport Agent", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3135885809348716686}}
+{"date_created": "2019-10-01T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "QBot Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 549533545640817283}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "technique": ["T1158: Hidden Files and Directories"], "detection_rule": "Hiding files with attrib.exe", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1401640680274456168}}
+{"date_created": "2017-06-12T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "Executable used by PlugX in Uncommon Location - Sysmon Version", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1205548426427246537}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "WSF/JSE/JS/VBA/VBE File Execution", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1276582860456683172}}
+{"date_created": "2019-05-22T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0002: Execution"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Windows 10 scheduled task SandboxEscaper 0-day", "detection_rule_author": "Olaf Hartong", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4599646537590579921}}
+{"date_created": "2018-03-13T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1035: Service Execution"], "detection_rule": "PsExec Service Start", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2203361618591259247}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "WannaCry Ransomware", "detection_rule_author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5674862290805717120}}
+{"date_created": "2019-11-01T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["not defined"], "detection_rule": "Firewall Disabled via Netsh", "detection_rule_author": "Fatih Sirin", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7134703689209337111}}
+{"date_created": "2019-06-17T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Userinit Child Process", "detection_rule_author": "Florian Roth (rule), Samir Bousseaden (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8456432419352170495}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Invocation based on Parent Process", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5179675620528174841}}
+{"date_created": "2018-03-17T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0004: Privilege Escalation"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "Suspicious RDP Redirect Using TSCON", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3033351589841570279}}
+{"date_created": "2019-03-22T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Disable of ETW Trace", "detection_rule_author": "@neu5ron, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2775893736818481039}}
+{"date_created": "2019-10-30T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "DTRACK Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6260610123502268024}}
+{"date_created": "2019-01-09T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Script Run in AppData", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5326736664782981015}}
+{"date_created": "2019-10-24T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1040: Network Sniffing"], "detection_rule": "Capture a Network Trace with netsh.exe", "detection_rule_author": "Kutepov Anton, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3030778552044243257}}
+{"date_created": "2018-09-03T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious Encoded PowerShell Command Line", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1762064524701119565}}
+{"date_created": "2019-06-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Renamed Binary", "detection_rule_author": "Matthew Green - @mgreen27", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8089494239963824532}}
+{"date_created": "2017-11-10T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "Adwind RAT / JRAT", "detection_rule_author": "Florian Roth, Tom Ueltschi", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0015_11_windows_sysmon_FileCreate", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1095797047473300884}}
+{"date_created": "2019-02-06T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "Suspicious GUP Usage", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8760838284011813794}}
+{"date_created": "2019-01-29T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0011: Command and Control"], "technique": ["T1090: Connection Proxy"], "detection_rule": "Netsh Port Forwarding", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6556884734114542924}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious PowerShell Parameter Substring", "detection_rule_author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8612595513515360959}}
+{"date_created": "2018-03-06T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1053: Scheduled Task", "T1086: PowerShell"], "detection_rule": "Default PowerSploit and Empire Schtasks Persistence", "detection_rule_author": "Markus Neis, @Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7433826405960750136}}
+{"date_created": "2019-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1068: Exploitation for Privilege Escalation"], "detection_rule": "Windows Kernel and 3rd-party drivers exploits. Token stealing", "detection_rule_author": "Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["EN_0002_enrich_sysmon_event_id_1_with_parent_info", "EN_0001_cache_sysmon_event_id_1_info"], "enrichment_requirements": [["EN_0001_cache_sysmon_event_id_1_info"], "not defined"]}
+{"index": {"_id": -2470038652129265294}}
+{"date_created": "2017-10-14T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Executables Started in Suspicious Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7974778523532708654}}
+{"date_created": "2018-11-17T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "PowerShell Base64 Encoded Shellcode", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2656219558372469711}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -834985669218245818}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1059: Command-Line Interface"], "detection_rule": "Command Line Execution with suspicious URL and AppData Strings", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7767471854555034841}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7541870498989966340}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1033: System Owner/User Discovery", "T1087: Account Discovery"], "detection_rule": "Local accounts discovery", "detection_rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6347103791646637851}}
+{"date_created": "2019-08-24T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1500: Compile After Delivery"], "detection_rule": "Suspicious Csc.exe Source File Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3973481581086205814}}
+{"date_created": "2019-01-10T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Dridex Process Pattern", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8457127527048289536}}
+{"date_created": "2019-06-01T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Ransomware Deletes Volume Shadow Copies", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -574109735309496470}}
+{"date_created": "2018-08-13T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1033: System Owner/User Discovery"], "detection_rule": "Whoami Execution", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2996574230044016249}}
+{"date_created": "2019-04-02T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "detection_rule": "MS Office Product Spawning Exe in User Dir", "detection_rule_author": "Jason Lynch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6416957424472586778}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "IIS Native-Code Module Command Line Installation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2249374977216833195}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER", "TESTCUSTOMER2"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "SquiblyTwo", "detection_rule_author": "Markus Neis / Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -517554326702488203}}
+{"date_created": "2018-02-22T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Exploit for CVE-2017-0261", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7639131158166353037}}
+{"date_created": "2019-10-26T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "Application Whitelisting bypass via dxcap.exe", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5619009118134666791}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Quick Execution of a Series of Suspicious Commands", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5173062027072501842}}
+{"date_created": "2019-08-30T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1088: Bypass User Account Control"], "detection_rule": "Empire PowerShell UAC Bypass", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6776840429687710037}}
+{"date_created": "2019-10-22T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32"], "detection_rule": "Suspicious Call by Ordinal", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7144274348599236836}}
+{"date_created": "2017-11-23T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1211: Exploitation for Defense Evasion"], "detection_rule": "Droppers exploiting CVE-2017-11882", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 785757754768215698}}
+{"date_created": "2019-10-30T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Mustang Panda Dropper", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1526739865923834651}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery"], "detection_rule": "Suspicious Reconnaissance Activity", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4285613046788301213}}
 {"date_created": "2018-08-25T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Detection of PowerShell Execution via DLL", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8783296880231895539}}
-{"date_created": "2019-01-29T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1021: Remote Services"], "detection_rule": "Netsh RDP Port Forwarding", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -6938735686772528665}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "Suspicious RASdial Activity", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 445372219596421295}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32"], "detection_rule": "Suspicious Rundll32 Activity", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3473321902626961767}}
-{"date_created": "2018-03-15T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1015: Accessibility Features"], "detection_rule": "Sticky Key Like Backdoor Usage", "detection_rule_author": "Florian Roth, @twjackomo", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 9036924728169023404}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1191: CMSTP"], "detection_rule": "CMSTP Execution", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0014_10_windows_sysmon_ProcessAccess", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0007_windows_sysmon_ProcessAccess", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3109523827983707417}}
-{"date_created": "2019-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1210: Exploitation of Remote Services"], "detection_rule": "Suspicious Outbound RDP Connections", "detection_rule_author": "Markus Neis - Swisscom", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7772513120921930185}}
-{"date_created": "2017-03-04T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Malware Shellcode in Verclsid Target Process", "detection_rule_author": "John Lambert (tech), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1321821183365595479}}
-{"date_created": "2018-06-25T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32", "T1086: PowerShell"], "detection_rule": "PowerShell Rundll32 Remote Thread Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2752665632372242675}}
+{"index": {"_id": 7438922923170194761}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1117: Regsvr32"], "detection_rule": "Regsvr32 Anomaly", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8274911836051621100}}
+{"date_created": "2019-10-02T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1117: Regsvr32"], "detection_rule": "BlueMashroom DLL Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7394041009020823030}}
+{"date_created": "2018-03-13T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Taskmgr as Parent", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8985303810776562772}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER", "TESTCUSTOMER2"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Cmdkey Cached Credentials Recon", "detection_rule_author": "jmallette", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7540602275467704342}}
+{"date_created": "2019-09-30T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Formbook Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7528250646652857796}}
+{"date_created": "2018-04-06T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1064: Scripting"], "detection_rule": "Windows Shell Spawning Suspicious Program", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2914913769483920537}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1035: Service Execution"], "detection_rule": "Service Execution", "detection_rule_author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7515692271657907638}}
+{"date_created": "2018-11-14T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1208: Kerberoasting"], "detection_rule": "Possible SPN Enumeration", "detection_rule_author": "Markus Neis, keepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2728576894372948298}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "WScript or CScript Dropper", "detection_rule_author": "Margaritis Dimitrios (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1994624209943058231}}
+{"date_created": "2019-02-09T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Calculator Usage", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7250336069723501653}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "technique": ["T1197: BITS Jobs"], "detection_rule": "Bitsadmin Download", "detection_rule_author": "Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 721696237415980827}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Scheduled Task Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 910147530928848467}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "Suspicious WMI execution", "detection_rule_author": "Michael Haag, Florian Roth, juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -232895896567982671}}
+{"date_created": "2018-06-22T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["not defined"], "detection_rule": "Sysprep on AppData Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3912536813343298626}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0007: Discovery"], "technique": ["not defined"], "detection_rule": "Net.exe Execution", "detection_rule_author": "Michael Haag, Mark Woan (improvements)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4096495852996067355}}
+{"date_created": "2018-12-19T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Rubeus Hack Tool", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3103420886262610978}}
+{"date_created": "2019-04-20T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Empire PowerShell Launch Parameters", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8956296748527648736}}
+{"date_created": "2019-10-12T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "Devtoolslauncher.exe executes specified binary", "detection_rule_author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2010177335057189668}}
+{"date_created": "2018-06-07T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1170: Mshta"], "detection_rule": "MSHTA spwaned by SVCHOST as seen in LethalHTA", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2070865079187201976}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1118: InstallUtil", "T1121: Regsvcs/Regasm", "T1127: Trusted Developer Utilities", "T1170: Mshta"], "detection_rule": "Possible Applocker Bypass", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8740198012273261197}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1220: XSL Script Processing"], "detection_rule": "XSL Script Processing", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6020170423905272902}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1138: Application Shimming"], "detection_rule": "Possible Shim Database Persistence via sdbinst.exe", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6115097119329788285}}
+{"date_created": "2018-03-18T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Taskmgr as LOCAL_SYSTEM", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7263791055319126626}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1175: Component Object Model and Distributed COM"], "detection_rule": "MMC Spawning Windows Shell", "detection_rule_author": "Karneades, Swisscom CSIRT", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4205318070873321599}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious Base64 encoded PowerShell Keywords in command lines", "detection_rule_author": "John Lambert (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2947041281252376437}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Activity Related to NTDS.dit Domain Hash Retrieval", "detection_rule_author": "Florian Roth, Michael Haag", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8843726643322340122}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "Suspicious RASdial Activity", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7876956298980162816}}
+{"date_created": "2017-09-15T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1203: Exploitation for Client Execution"], "detection_rule": "Exploit for CVE-2017-8759", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5454159595633589073}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["not defined"], "detection_rule": "Squirrel Lolbin", "detection_rule_author": "Karneades / Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1614172931565762263}}
+{"date_created": "2019-11-20T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation"], "technique": ["T1068: Exploitation for Privilege Escalation"], "detection_rule": "Exploiting CVE-2019-1388", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 444988746054147901}}
+{"date_created": "2018-04-09T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Suspicious SYSVOL Domain Group Policy Access", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 471417308843632729}}
+{"date_created": "2019-10-15T00:00:00", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "technique": ["T1020: Automated Exfiltration", "T1002: Data Compressed"], "detection_rule": "Suspicious Compression Tool Parameters", "detection_rule_author": "Florian Roth, Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7433059808825384346}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1042: Change Default File Association"], "detection_rule": "Change Default File Association", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -7231121631131183651}}
+{"date_created": "2019-01-29T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0011: Command and Control"], "technique": ["T1090: Connection Proxy"], "detection_rule": "Netsh", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4969447232068461302}}
+{"date_created": "2018-03-17T00:00:00", "customer": ["None"], "tactic": ["TA0011: Command and Control"], "technique": ["T1219: Remote Access Tools"], "detection_rule": "Suspicious TSCON Start", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4893404528149259125}}
+{"date_created": "2019-10-14T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Code Page Switch", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1995472150864745136}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Shells Spawned by Web Servers", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -507530008502823851}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER", "TESTCUSTOMER2"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation", "TA0002: Execution"], "technique": ["T1088: Bypass User Account Control", "T1191: CMSTP"], "detection_rule": "CMSTP UAC Bypass via COM Object Access", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1234292192689948638}}
+{"date_created": "2018-03-23T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information", "T1027: Obfuscated Files or Information"], "detection_rule": "Ping Hex IP", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2583022284570119305}}
+{"date_created": "2017-11-27T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "System File Execution Location Anomaly", "detection_rule_author": "Florian Roth, Patrick Bareiss", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6287197118584539872}}
+{"date_created": "2019-09-30T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Emotet Process Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4264687967287944453}}
+{"date_created": "2019-10-12T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "OpenWith.exe executes specified binary", "detection_rule_author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5271196739912129593}}
+{"date_created": "2019-02-07T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0003: Persistence"], "technique": ["T1070: Indicator Removal on Host", "T1067: Bootkit"], "detection_rule": "Possible Ransomware or unauthorized MBR modifications", "detection_rule_author": "@neu5ron", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log"], "channel": ["Security"], "provider": ["Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1600429239723357048}}
+{"date_created": "2018-08-22T00:00:00", "customer": ["None"], "tactic": ["TA0007: Discovery"], "technique": ["T1087: Account Discovery", "T1082: System Information Discovery"], "detection_rule": "Reconnaissance Activity with Net Command", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1476369463099778829}}
+{"date_created": "2019-08-24T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1086: PowerShell", "T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "Encoded FromBase64String", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4557696652823286157}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0006: Credential Access", "TA0005: Defense Evasion"], "technique": ["T1085: Rundll32", "T1070: Indicator Removal on Host", "T1003: Credential Dumping"], "detection_rule": "NotPetya Ransomware Activity", "detection_rule_author": "Florian Roth, Tom Ueltschi", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2073345514059721498}}
+{"date_created": "2019-09-26T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1070: Indicator Removal on Host"], "detection_rule": "Suspicious eventlog clear or configuration using wevtutil", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8245096321800933083}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32"], "detection_rule": "Suspicious Rundll32 Activity", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4065221110213737674}}
+{"date_created": "2019-02-24T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Certutil Encode", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5065740952199937862}}
+{"date_created": "2019-11-14T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious MsiExec Directory", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7208162989158713054}}
+{"date_created": "2019-01-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Program Location Process Starts", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5000408535498721174}}
+{"date_created": "2019-09-03T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1047: Windows Management Instrumentation", "T1175: Component Object Model and Distributed COM"], "detection_rule": "Impacket Lateralization Detection", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8484624098670958873}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0007: Discovery"], "technique": ["T1040: Network Sniffing"], "detection_rule": "Network Sniffing", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -5301713656479383931}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1140: Deobfuscate/Decode Files or Information"], "detection_rule": "Suspicious Commandline Escape", "detection_rule_author": "juju4", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2519376423957014912}}
+{"date_created": "2018-04-06T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "detection_rule": "Microsoft Office Product Spawning Windows Shell", "detection_rule_author": "Michael Haag, Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 426754767140311911}}
+{"date_created": "2019-09-02T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Process dump via comsvcs DLL", "detection_rule_author": "Modexp (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5383219587954772848}}
+{"date_created": "2019-06-26T00:00:00", "customer": ["None"], "tactic": ["TA0001: Initial Access"], "technique": ["T1193: Spearphishing Attachment"], "detection_rule": "Suspicious Double Extension", "detection_rule_author": "Florian Roth (rule), @blu3_team (idea)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -173065639751602550}}
+{"date_created": "2019-11-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Exploiting SetupComplete.cmd CVE-2019-1378", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4822396334419538173}}
+{"date_created": "2018-08-17T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1086: PowerShell"], "detection_rule": "Powershell AMSI Bypass via .NET Reflection", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8243220801822106267}}
+{"date_created": "2019-08-27T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1196: Control Panel Items"], "detection_rule": "Control Panel Items", "detection_rule_author": "Kyaw Min Thein", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4537666976490191642}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Execution in Non-Executable Folder", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8361931429627654311}}
+{"date_created": "2019-04-03T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1064: Scripting"], "detection_rule": "WMI Spawning Windows PowerShell", "detection_rule_author": "Markus Neis / @Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6304190990674875509}}
+{"date_created": "2019-02-11T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Parent of Csc.exe", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3070130271316870478}}
+{"date_created": "2017-08-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Suspicious Svchost Process", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6724957880312245573}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1127: Trusted Developer Utilities"], "detection_rule": "Microsoft Workflow Compiler", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0001_4688_windows_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5854913384232466128}}
+{"date_created": "2019-09-26T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Fsutil suspicious invocation", "detection_rule_author": "Ecco", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3231808106164258736}}
+{"date_created": "2019-01-29T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1021: Remote Services"], "detection_rule": "Netsh RDP Port Forwarding", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4299208082741792627}}
+{"date_created": "2019-10-24T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion", "TA0001: Initial Access"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution", "T1193: Spearphishing Attachment"], "detection_rule": "Suspicious HWP Sub Processes", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -9162312148373849861}}
+{"date_created": "2018-09-05T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious XOR Encoded PowerShell Command Line", "detection_rule_author": "Sami Ruohonen", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8838544517103347361}}
+{"date_created": "2019-02-23T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Windows Processes Suspicious Parent Directory", "detection_rule_author": "vburov", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2513319271171337955}}
+{"date_created": "2017-04-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading", "T1085: Rundll32"], "detection_rule": "Suspicious Control Panel DLL Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1432057685812433424}}
+{"date_created": "2018-02-22T00:00:00", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Exploit for CVE-2015-1641", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7919951530295921335}}
+{"date_created": "2018-12-27T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1059: Command-Line Interface", "T1202: Indirect Command Execution"], "detection_rule": "Suspicious Execution from Outlook", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1042025181464593029}}
+{"date_created": "2018-03-07T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence"], "technique": ["T1047: Windows Management Instrumentation"], "detection_rule": "WMI Persistence - Script Event Consumer", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Windows Log", "Applications and Services Logs"], "channel": ["Security", "Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Security-Auditing", "Microsoft-Windows-Sysmon"], "data_needed": ["DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 931006313443131788}}
+{"date_created": "2019-10-21T00:00:00", "customer": ["None"], "tactic": ["TA0010: Exfiltration"], "technique": ["T1002: Data Compressed"], "detection_rule": "Data Compressed", "detection_rule_author": "Timur Zinniatullin, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2518359665038395590}}
+{"date_created": "2019-10-26T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1218: Signed Binary Proxy Execution"], "detection_rule": "Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["not defined"], "platform": ["not defined"], "type": ["not defined"], "channel": ["not defined"], "provider": ["not defined"], "data_needed": ["not defined"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8692925249709969236}}
+{"date_created": "2019-04-17T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Execution of Renamed PaExec", "detection_rule_author": "Jason Lynch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 504858502201183515}}
 {"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz Detection LSASS Access", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8872171226808416490}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz In-Memory", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4705375919945933586}}
-{"date_created": "2018-07-24T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Detection of SafetyKatz", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7664502140650414619}}
-{"date_created": "2017-08-28T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Usage of Sysinternals Tools", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4455204359951029341}}
-{"date_created": "2019-04-15T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious Scripting in a WMI Consumer", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0023_20_windows_sysmon_WmiEvent"], "logging_policy": ["LP_0010_windows_sysmon_WmiEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8334480956502422543}}
-{"date_created": "2018-04-11T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence", "TA0005: Defense Evasion"], "technique": ["T1183: Image File Execution Options Injection"], "detection_rule": "Registry Persistence Mechanisms", "detection_rule_author": "Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8489466280973962871}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Network Connections", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3140751179836404153}}
-{"date_created": "2019-02-21T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Hijack legit RDP session to move laterally", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2191039979058853002}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1055: Process Injection"], "detection_rule": "CobaltStrike Process Injection", "detection_rule_author": "Olaf Hartong, Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8163739312322142981}}
-{"date_created": "2019-05-21T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Renamed PsExec", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1156358019368213279}}
+{"index": {"_id": 3873447962599020271}}
 {"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1050: New Service"], "detection_rule": "Suspicious Driver Load from Temp", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0010_6_windows_sysmon_driver_loaded"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 4518872552812643563}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0008: Lateral Movement"], "technique": ["T1037: Logon Scripts"], "detection_rule": "Logon Scripts (UserInitMprLogonScript)", "detection_rule_author": "Tom Ueltschi (@c_APT_ure)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0018_14_windows_sysmon_RegistryEvent"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2481558128066771924}}
-{"date_created": "2018-03-07T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Persistence - Command Line Event Consumer", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1885137991778577188}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Password Dumper Remote Thread in LSASS", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2770244191494873215}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "LSASS Memory Dump", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -4753607984911003504}}
-{"date_created": "2017-05-08T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DNS ServerLevelPluginDll Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7803996740853489034}}
-{"date_created": "2018-11-22T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "Suspicious File Characteristics due to Missing Fields", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7400443350882457361}}
-{"date_created": "2018-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1027: Obfuscated Files or Information"], "detection_rule": "Executable in ADS", "detection_rule_author": "Florian Roth, @0xrawsec", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0019_15_windows_sysmon_FileCreateStreamHash"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7654435461803661785}}
-{"date_created": "2018-02-10T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "QuarksPwDump Dump File", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5707091725101567536}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1088: Bypass User Account Control"], "detection_rule": "UAC Bypass via sdclt", "detection_rule_author": "Omer Yampel", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3874333755700886275}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1055: Process Injection", "T1064: Scripting"], "detection_rule": "CACTUSTORCH Remote Thread Creation", "detection_rule_author": "@SBousseaden (detection), Thomas Patzke (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 5280588388881239412}}
-{"date_created": "2018-08-30T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1105: Remote File Copy"], "detection_rule": "Microsoft Binary Suspicious Communication Endpoint", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -8436125286050562553}}
-{"date_created": "2018-03-06T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0003: Persistence", "TA0004: Privilege Escalation"], "technique": ["T1053: Scheduled Task", "T1086: PowerShell"], "detection_rule": "Default PowerSploit and Empire Schtasks Persistence", "detection_rule_author": "Markus Neis, @Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 2420117582150067371}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1105: Remote File Copy"], "detection_rule": "Microsoft Binary Github Communication", "detection_rule_author": "Michael Haag (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -3749920763873176360}}
-{"date_created": "2017-03-19T00:00:00", "customer": ["None"], "tactic": ["TA0011: Command and Control"], "technique": ["T1043: Commonly Used Port"], "detection_rule": "Suspicious Typical Malware Back Connect Ports", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 375440707426303426}}
-{"date_created": "2019-01-12T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Event Subscription", "detection_rule_author": "Tom Ueltschi (@c_APT_ure)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0023_20_windows_sysmon_WmiEvent", "DN_0024_21_windows_sysmon_WmiEvent", "DN_0022_19_windows_sysmon_WmiEvent"], "logging_policy": ["LP_0010_windows_sysmon_WmiEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8946904996396488556}}
-{"date_created": "2018-03-07T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Persistence - Script Event Consumer File Write", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -277935351275431253}}
-{"date_created": "2017-11-04T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32"], "detection_rule": "Rundll32 Internet Connection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1763050081911496073}}
-{"date_created": "2017-11-06T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Malicious Named Pipe", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0021_18_windows_sysmon_PipeEvent", "DN_0020_17_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7806475782286078451}}
-{"date_created": "2018-07-18T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1060: Registry Run Keys / Startup Folder"], "detection_rule": "Registry Persistence via Explorer Run Key", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 572671872338474526}}
-{"date_created": "2019-08-27T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution", "TA0005: Defense Evasion"], "technique": ["T1196: Control Panel Items"], "detection_rule": "Control Panel Items", "detection_rule_author": "Kyaw Min Thein", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1517096265659267565}}
-{"date_created": "2017-03-19T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Program Location with Network Connections", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -2336292099515471198}}
-{"date_created": "2018-01-07T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "Possible Process Hollowing Image Loading", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1161311687241427099}}
-{"date_created": "2018-04-07T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious PowerShell Commandlet Names", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 8399440716633592987}}
-{"date_created": "2019-08-22T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Renamed PowerShell", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -1435131919728444595}}
-{"date_created": "2019-05-22T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0002: Execution"], "technique": ["T1053: Scheduled Task"], "detection_rule": "Windows 10 scheduled task SandboxEscaper 0-day", "detection_rule_author": "Olaf Hartong", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0003_1_windows_sysmon_process_creation", "DN_0002_4688_windows_process_creation_with_commandline"], "logging_policy": ["LP_0003_windows_sysmon_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0001_windows_audit_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 1558219925420517470}}
-{"date_created": "2019-02-16T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0011: Command and Control"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "RDP over Reverse SSH Tunnel", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5121916205428296936}}
+{"index": {"_id": 105194620879372746}}
 {"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1088: Bypass User Account Control"], "detection_rule": "UAC Bypass via Event Viewer", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7970138821092146356}}
-{"date_created": "2019-01-18T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1011: Exfiltration Over Other Network Medium"], "detection_rule": "Security Support Provider (SSP) added to LSA configuration", "detection_rule_author": "iwillkeepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3281402942761485734}}
-{"date_created": "2019-01-18T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1060: Registry Run Keys / Startup Folder"], "detection_rule": "New RUN Key Pointing to Suspicious Folder", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -5281122476350473878}}
+{"index": {"_id": -2477644294089639364}}
+{"date_created": "2019-01-12T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Event Subscription", "detection_rule_author": "Tom Ueltschi (@c_APT_ure)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0022_19_windows_sysmon_WmiEvent", "DN_0024_21_windows_sysmon_WmiEvent", "DN_0023_20_windows_sysmon_WmiEvent"], "logging_policy": ["LP_0010_windows_sysmon_WmiEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6088157267731418337}}
+{"date_created": "2018-11-30T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1055: Process Injection"], "detection_rule": "CobaltStrike Process Injection", "detection_rule_author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4375866600844429421}}
 {"date_created": "2017-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading", "T1112: Modify Registry"], "detection_rule": "DHCP Callout DLL installation", "detection_rule_author": "Dimitrios Slamaris", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": -7992395968279454184}}
-{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0002: Execution"], "technique": ["T1003: Credential Dumping", "T1028: Windows Remote Management"], "detection_rule": "Mimikatz through Windows Remote Management", "detection_rule_author": "Patryk Prauze - ING Tech", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
-{"index": {"_id": 3556614345430691884}}
+{"index": {"_id": -1840123786356417775}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0008: Lateral Movement"], "technique": ["T1037: Logon Scripts"], "detection_rule": "Logon Scripts (UserInitMprLogonScript)", "detection_rule_author": "Tom Ueltschi (@c_APT_ure)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0015_11_windows_sysmon_FileCreate", "DN_0003_1_windows_sysmon_process_creation", "DN_0018_14_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined", "LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0008_windows_sysmon_FileCreate", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3017633683878560791}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1105: Remote File Copy"], "detection_rule": "Microsoft Binary Github Communication", "detection_rule_author": "Michael Haag (idea), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 47377844313059732}}
+{"date_created": "2018-07-24T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Detection of SafetyKatz", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1007118072070240740}}
+{"date_created": "2019-02-16T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0011: Command and Control"], "technique": ["T1076: Remote Desktop Protocol"], "detection_rule": "RDP over Reverse SSH Tunnel", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2194941077559236144}}
 {"date_created": "2019-04-03T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["not defined"], "detection_rule": "RDP Sensitive Settings Changed", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6591282280399892745}}
+{"date_created": "2018-03-15T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence"], "technique": ["T1015: Accessibility Features"], "detection_rule": "Sticky Key Like Backdoor Usage", "detection_rule_author": "Florian Roth, @twjackomo", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2707373172261762421}}
+{"date_created": "2019-10-23T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1122: Component Object Model Hijacking"], "detection_rule": "Windows Registry Persistence - COM key linking", "detection_rule_author": "Kutepov Anton, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -2700775582223974096}}
+{"date_created": "2017-03-04T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Malware Shellcode in Verclsid Target Process", "detection_rule_author": "John Lambert (tech), Florian Roth (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6621807699562673122}}
+{"date_created": "2018-02-10T00:00:00", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "QuarksPwDump Dump File", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1059915780485808139}}
+{"date_created": "2019-10-16T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1177: LSASS Driver"], "detection_rule": "DLL Load via LSASS", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7052277824488610650}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access", "TA0002: Execution"], "technique": ["T1003: Credential Dumping", "T1028: Windows Remote Management"], "detection_rule": "Mimikatz through Windows Remote Management", "detection_rule_author": "Patryk Prauze - ING Tech", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6822682410774733708}}
+{"date_created": "2019-10-28T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence", "TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading", "T1038: DLL Search Order Hijacking", "T1112: Modify Registry"], "detection_rule": "Svchost DLL Search Order Hijack", "detection_rule_author": "SBousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3161362252291677267}}
+{"date_created": "2019-08-22T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Renamed PowerShell", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6994119967465801105}}
+{"date_created": "2018-03-07T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Persistence - Script Event Consumer File Write", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2425161143449345741}}
+{"date_created": "2017-03-19T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Program Location with Network Connections", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3945935707703321492}}
+{"date_created": "2019-04-15T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Suspicious Scripting in a WMI Consumer", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0023_20_windows_sysmon_WmiEvent"], "logging_policy": ["LP_0010_windows_sysmon_WmiEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 537938989927271900}}
+{"date_created": "2017-08-28T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Usage of Sysinternals Tools", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3880128167925100856}}
+{"date_created": "2017-11-04T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32"], "detection_rule": "Rundll32 Internet Connection", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 480251357539693441}}
+{"date_created": "2018-03-07T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1084: Windows Management Instrumentation Event Subscription"], "detection_rule": "WMI Persistence - Command Line Event Consumer", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 5081063789895835465}}
+{"date_created": "2018-04-07T00:00:00", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "Malicious PowerShell Commandlet Names", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 6489912540765680904}}
+{"date_created": "2019-10-01T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1060: Registry Run Keys / Startup Folder"], "detection_rule": "Suspicious RUN Key from Download", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 3530573448427464372}}
+{"date_created": "2019-02-21T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Hijack legit RDP session to move laterally", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6349534898220232231}}
+{"date_created": "2019-05-21T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Renamed PsExec", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -459238072478347060}}
+{"date_created": "2019-01-18T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1011: Exfiltration Over Other Network Medium"], "detection_rule": "Security Support Provider (SSP) added to LSA configuration", "detection_rule_author": "iwillkeepwatch", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7147387360552034122}}
+{"date_created": "2019-10-12T00:00:00", "customer": ["None"], "tactic": ["not defined"], "technique": ["not defined"], "detection_rule": "Suspicious Keyboard Layout Load", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4654846179724769019}}
+{"date_created": "2018-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1027: Obfuscated Files or Information"], "detection_rule": "Executable in ADS", "detection_rule_author": "Florian Roth, @0xrawsec", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0019_15_windows_sysmon_FileCreateStreamHash"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 486529890070926628}}
+{"date_created": "2018-06-03T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1060: Registry Run Keys / Startup Folder"], "detection_rule": "New RUN Key Pointing to Suspicious Folder", "detection_rule_author": "Florian Roth, Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -9132035679035497747}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1086: PowerShell"], "detection_rule": "PowerShell Network Connections", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "low", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 2986776971241762003}}
+{"date_created": "2018-01-07T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "Possible Process Hollowing Image Loading", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4927129727398152460}}
+{"date_created": "2017-03-19T00:00:00", "customer": ["None"], "tactic": ["TA0011: Command and Control"], "technique": ["T1043: Commonly Used Port"], "detection_rule": "Suspicious Typical Malware Back Connect Ports", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8725688405459289170}}
+{"date_created": "2019-11-18T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1036: Masquerading"], "detection_rule": "Renamed ProcDump", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1868773110842719415}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["TESTCUSTOMER"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1191: CMSTP"], "detection_rule": "CMSTP Execution", "detection_rule_author": "Nik Seetharaman", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess", "DN_0017_13_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation", "DN_0016_12_windows_sysmon_RegistryEvent"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess", "LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -1915748753346231287}}
+{"date_created": "2018-07-18T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1060: Registry Run Keys / Startup Folder"], "detection_rule": "Registry Persistence via Explorer Run Key", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -823769167786416501}}
+{"date_created": "2018-08-30T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1105: Remote File Copy"], "detection_rule": "Microsoft Binary Suspicious Communication Endpoint", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 9203259538906153535}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1088: Bypass User Account Control"], "detection_rule": "UAC Bypass via sdclt", "detection_rule_author": "Omer Yampel", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4894482585193934319}}
+{"date_created": "2018-06-25T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1085: Rundll32", "T1086: PowerShell"], "detection_rule": "PowerShell Rundll32 Remote Thread Creation", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4876302912707843087}}
+{"date_created": "2017-05-08T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion"], "technique": ["T1073: DLL Side-Loading"], "detection_rule": "DNS ServerLevelPluginDll Install", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs", "Windows Log"], "channel": ["Microsoft-Windows-Sysmon/Operational", "Security"], "provider": ["Microsoft-Windows-Sysmon", "Microsoft-Windows-Security-Auditing"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent", "DN_0002_4688_windows_process_creation_with_commandline", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["not defined", "LP_0001_windows_audit_process_creation", "LP_0002_windows_audit_process_creation_with_commandline", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -3941891294488131024}}
+{"date_created": "2017-11-06T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0004: Privilege Escalation"], "technique": ["T1055: Process Injection"], "detection_rule": "Malicious Named Pipe", "detection_rule_author": "Florian Roth", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0020_17_windows_sysmon_PipeEvent", "DN_0021_18_windows_sysmon_PipeEvent"], "logging_policy": ["LP_0009_windows_sysmon_PipeEvent"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -6016405129126855057}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Password Dumper Remote Thread in LSASS", "detection_rule_author": "Thomas Patzke", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "stable", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 7112632562145545282}}
+{"date_created": "2019-05-15T00:00:00", "customer": ["None"], "tactic": ["TA0008: Lateral Movement"], "technique": ["T1210: Exploitation of Remote Services"], "detection_rule": "Suspicious Outbound RDP Connections", "detection_rule_author": "Markus Neis - Swisscom", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0007_3_windows_sysmon_network_connection"], "logging_policy": ["LP_0005_windows_sysmon_network_connection"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 1681362878003638867}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "LSASS Memory Dump", "detection_rule_author": "Samir Bousseaden", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0014_10_windows_sysmon_ProcessAccess"], "logging_policy": ["LP_0007_windows_sysmon_ProcessAccess"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 8773088457667138462}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0002: Execution"], "technique": ["T1055: Process Injection", "T1064: Scripting"], "detection_rule": "CACTUSTORCH Remote Thread Creation", "detection_rule_author": "@SBousseaden (detection), Thomas Patzke (rule)", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "high", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0012_8_windows_sysmon_CreateRemoteThread"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -8063474543306488806}}
+{"date_created": "2019-10-22T00:00:00", "customer": ["None"], "tactic": ["TA0003: Persistence"], "technique": ["T1100: Web Shell"], "detection_rule": "Windows webshell creation", "detection_rule_author": "Beyu Denis, oscd.community", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0015_11_windows_sysmon_FileCreate"], "logging_policy": ["LP_0008_windows_sysmon_FileCreate"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -4440373072769232673}}
+{"date_created": "2018-04-11T00:00:00", "customer": ["None"], "tactic": ["TA0004: Privilege Escalation", "TA0003: Persistence", "TA0005: Defense Evasion"], "technique": ["T1183: Image File Execution Options Injection"], "detection_rule": "Registry Persistence Mechanisms", "detection_rule_author": "Karneades", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "not defined", "detection_rule_severity": "critical", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0017_13_windows_sysmon_RegistryEvent"], "logging_policy": ["not defined"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": -15503957766113557}}
+{"date_created": "2018-11-22T00:00:00", "customer": ["None"], "tactic": ["TA0005: Defense Evasion", "TA0002: Execution"], "technique": ["T1064: Scripting"], "detection_rule": "Suspicious File Characteristics due to Missing Fields", "detection_rule_author": "Markus Neis", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded", "DN_0003_1_windows_sysmon_process_creation"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded", "LP_0003_windows_sysmon_process_creation"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
+{"index": {"_id": 4158498124137694971}}
+{"date_created": "2019-03-01T22:50:37.587060", "customer": ["None"], "tactic": ["TA0008: Lateral Movement", "TA0006: Credential Access"], "technique": ["T1003: Credential Dumping"], "detection_rule": "Mimikatz In-Memory", "detection_rule_author": "not defined", "detection_rule_internal_responsible": "not defined", "detection_rule_development_status": "experimental", "detection_rule_severity": "medium", "detection_rule_confidence": "not defined", "category": ["OS Logs"], "platform": ["Windows"], "type": ["Applications and Services Logs"], "channel": ["Microsoft-Windows-Sysmon/Operational"], "provider": ["Microsoft-Windows-Sysmon"], "data_needed": ["DN_0011_7_windows_sysmon_image_loaded"], "logging_policy": ["LP_0006_windows_sysmon_image_loaded"], "enrichment": ["not defined"], "enrichment_requirements": ["not defined"]}
diff --git a/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json b/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
index 3106b9b..64f96ea 100644
--- a/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
+++ b/analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
@@ -1 +1 @@
-{"name": "ATC-Export", "version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1069", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1099", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1066", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0195", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1054", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1200", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1096", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1138", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1046", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1118", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1121", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1082", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0189", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0007", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "process-injection", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "signed-binary-proxy-execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "process-injection", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "signed-binary-proxy-execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1500", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0013", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1021", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0139", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1043", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1011", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true}
\ No newline at end of file
+{"name": "ATC-Export", "version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1114", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1066", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0195", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1190", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1136", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1099", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1054", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1178", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1098", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1212", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1089", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1171", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1171", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1077", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1069", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1107", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1078", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1075", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1200", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1096", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1004", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1012", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1007", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0189", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0007", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1046", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0013", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0029", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0022", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0060", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1500", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1033", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1211", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1117", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1035", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1208", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1197", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0190", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1053", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0111", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0039", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1118", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1121", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1170", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1220", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1138", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1203", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1068", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1020", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1042", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1090", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1219", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1067", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1087", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1082", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1070", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1175", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1040", "tactic": "discovery", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1140", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1196", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1127", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1021", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1193", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0032", "tactic": "initial-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1059", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1202", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1047", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1002", "tactic": "exfiltration", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1218", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1050", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1037", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1076", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1015", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1122", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1177", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1028", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1038", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1038", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1112", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1084", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1011", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1027", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0139", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1043", "tactic": "command-and-control", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1060", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1105", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1085", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1073", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0005", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1210", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1100", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1183", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1064", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0002", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "lateral-movement", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true}
\ No newline at end of file
diff --git a/analytics/generated/pivoting.csv b/analytics/generated/pivoting.csv
index 74b3824..70129d2 100644
--- a/analytics/generated/pivoting.csv
+++ b/analytics/generated/pivoting.csv
@@ -8,83 +8,141 @@ SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Securit
 SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,,
 TaskName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,,
 TaskContent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,,
-EventID,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-Hostname,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-Computer,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-ProcessID,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-ServiceName,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-ImagePath,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-ServiceFileName,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-ServiceType,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-StartType,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-AccountName,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-UserSid,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
-EventID,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-Hostname,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-Computer,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-EventName,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-Response,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-CabId,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-ProblemSignature,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-AttachedFiles,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-Thesefilesmaybeavailablehere,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-AnalysisSymbol,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-RecheckingForSolution,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-ReportId,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-ReportStatus,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-HashedBucket,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-OpCorrelationID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-AppCorrelationID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-DSName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-DSType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-ObjectDN,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-ObjectGUID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-ObjectClass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-AttributeLDAPDisplayName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-AttributeSyntaxOID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-AttributeValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-OperationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-Protocol,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-Initiated,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-SourceIsIpv6,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-SourceIp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-SourceHostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-SourcePort,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-SourcePortName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-DestinationIsIpv6,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-DestinationIp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-DestinationHostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-DestinationPort,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-DestinationPortName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
-EventID,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,,
-Computer,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,,
-Hostname,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+EventID,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,,
+Hostname,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,,
+Computer,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,,
+EventID,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+Hostname,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+Computer,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingApplicationName,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingModuleName,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+ExceptionCode,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultOffset,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingProcessId,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingApplicationStartTime,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingApplicationPath,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingModulePath,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+ReportId,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingPackageFullName,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+FaultingPackage-relativeApplicationID,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
+ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
+UMDFHostDeviceRequest,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
+lifetime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
+instance,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
+EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,,
+Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,,
+Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+SourceProcessGUID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+SourceProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+SourceThreadId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+SourceImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+TargetProcessGUID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+TargetProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+TargetImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+GrantedAccess,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+CallTrace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+TargetObject,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+Details,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
+EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,,
+Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,,
+Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,,
 Hostname,AV Alerts,Linux,None,ClamAV,ClamAV,DN_0093_linux_clamav_log,,
 Signature,AV Alerts,Linux,None,ClamAV,ClamAV,DN_0093_linux_clamav_log,,
 FileName,AV Alerts,Linux,None,ClamAV,ClamAV,DN_0093_linux_clamav_log,,
 FilePath,AV Alerts,Linux,None,ClamAV,ClamAV,DN_0093_linux_clamav_log,,
+Hostname,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Signature,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+AlertTitle,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Category,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Severity,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Sha1,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+FileName,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+FilePath,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+IpAddress,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+UserName,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+UserDomain,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+FileHash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Hashes,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Imphash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Sha256hash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Sha1hash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Md5hash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
+ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
+UMDFHostDeviceArrivalBegin,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
+lifetime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
+instance,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+Subject,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+SecurityID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+AccountDomain,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+LogonID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+TargetAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+SecurityID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+AccountDomain,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+SourceAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+SecurityID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+AdditionalInformation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+Privileges,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+SIDList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+Operation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+EventNamespace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+Name,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+Query,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+RuleName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+MemberName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+MemberSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
 EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,,
 AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,,
 Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,,
@@ -110,52 +168,132 @@ ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditi
 ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,,
 IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,,
 IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-UserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-UserID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-UserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-PreAuthenticationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-FailureCode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-ClientAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0070_4735_security_enabled_local_group_was_changed,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
-EventID,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
-ComputerName,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
-Computer,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
-Hostname,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+ServiceSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+TicketOptions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+TicketEncryptionType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+LogonGuid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+TransmittedServices,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+TargetFilename,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+CreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+PreviousCreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+NamespaceName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+Query,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+ProcessID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+Provider,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+queryid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+PossibleCause,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+CorrelationActivityID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+MessageNumber,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+MessageTotal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+ScriptBlockText,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+ScriptBlockId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+Path,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+Workstation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+ProcessID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+Application,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+Direction,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+SourceAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+SourcePort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+DestAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+DestPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+Protocol,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+FilterRTID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+LayerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+LayerRTID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+RemoteUserID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+RemoteMachineID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+NewProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+NewProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+NewProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+Image,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+TokenElevationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+CommandLine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+ProcessCommandLine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+ProcesssCommandLine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+TargetUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+TargetLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+ParentProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+ParentImage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+MandatoryLabel,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
+EventID,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+Hostname,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+Computer,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+EventName,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+Response,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+CabId,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+ProblemSignature,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+AttachedFiles,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+Thesefilesmaybeavailablehere,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+AnalysisSymbol,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+RecheckingForSolution,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+ReportId,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+ReportStatus,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+HashedBucket,OS Logs,Windows,Windows Log,Application,Windows Error Reporting,DN_0045_1001_windows_error_reporting,,
+EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+HiveNameLength,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+HiveName,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+KeysUpdated,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+DirtyPages,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
+SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
 EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,,
 Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,,
 Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,,
@@ -173,344 +311,118 @@ AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Audit
 Properties,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,,
 AdditionalInfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,,
 AdditionalInfo2,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,,
-type,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-msg,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-item,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-name,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-inode,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-dev,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-mode,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-ouid,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-ogid,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-rdev,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-obj,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-objtype,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-cap_fp,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-cap_fi,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-cap_fe,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-cap_fver,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-TargetFilename,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
-CreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+ObjectValueName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+OperationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+OldValueType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+OldValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+NewValueType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+NewValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
+ContextInfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
+UserData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
+Payload,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+ServiceFileName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+ServiceType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+ServiceStartType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+ServiceAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+ResourceAttributes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
 Hostname,OS Logs,Linux,client_security_log,client_security_log,named,DN_0096_linux_named_client_security_log,,
 ClientIP,OS Logs,Linux,client_security_log,client_security_log,named,DN_0096_linux_named_client_security_log,,
 ClientPort,OS Logs,Linux,client_security_log,client_security_log,named,DN_0096_linux_named_client_security_log,,
 ZoneTransferDomain,OS Logs,Linux,client_security_log,client_security_log,named,DN_0096_linux_named_client_security_log,,
 Message,OS Logs,Linux,client_security_log,client_security_log,named,DN_0096_linux_named_client_security_log,,
-EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,,
-Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,,
-Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,,
-Hostname,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
-UserName,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
-Daemon,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
-Program,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
-Message,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-ShareName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-ShareLocalPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-RelativeTargetName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-AccessReason,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-LogonType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-LogonProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-AuthenticationPackageName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-WorkstationName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-LogonGuid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TransmittedServices,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-LmPackageName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-KeyLength,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-ImpersonationLevel,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-RestrictedAdminMode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetOutboundUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetOutboundDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-VirtualAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-TargetLinkedLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-ElevatedToken,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
-EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,,
-Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,,
-Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-ImageLoaded,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Hashes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Sha256hash,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Md5hash,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Signed,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-Signature,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-SignatureStatus,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-NewProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-NewProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-TokenElevationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-ProcessPid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-TargetUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-TargetLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-ParentProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-MandatoryLabel,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-Image,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-ServiceSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-TicketOptions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-TicketEncryptionType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-LogonGuid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-TransmittedServices,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-TargetFilename,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-CreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-Hash,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-TicketOptions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-PreAuthType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-CertIssuerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-CertSerialNumber,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-CertThumbprint,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
-ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
-UMDFHostDeviceRequest,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
-lifetime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
-instance,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-CallerPID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-ProcessName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-ClientLUID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-ClientUserName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-ClientDomainName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-MechanismOID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
-Hostname,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-UserName,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-Daemon,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-Message,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_service,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_user,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_unix,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_tty,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_ruser,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_rhost,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_type,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_authtok,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-pam_message,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-uid,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-logname,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-uid,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-euid,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-tty,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-ruser,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-rhost,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-TransactionId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-AccessReason,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-RestrictedSidCount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-ResourceAttributes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-Workstation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,,
-EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-HiveNameLength,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-HiveName,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-KeysUpdated,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-DirtyPages,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-SourceProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-SourceProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-SourceImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-TargetProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-TargetProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-TargetImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-NewThreadId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-StartAddress,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-StartModule,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-StartFunction,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-Namespace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-ESS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-PossibleCause,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-CreatorSID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-EventNamespace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-Query,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-QueryLanguage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-EventFilter,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-PreviousTime,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-NewTime,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
-Hostname,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
-Daemon,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
-Program,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
-Message,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-MemberName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-MemberSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
-EventID,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
-ComputerName,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
-Computer,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-Subject,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-SecurityID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-AccountDomain,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-LogonID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-TargetAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-SecurityID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-AccountDomain,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-SourceAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-SecurityID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-AdditionalInformation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-Privileges,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-SIDList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,,
-timestamp,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
-hostname,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
-client,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
-uri,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-Operation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-Name,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-Type,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-Destination,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-RuleName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-NamespaceName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-Query,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-ProcessID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-Provider,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-queryid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-PossibleCause,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
-CorrelationActivityID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+Protocol,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+Initiated,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+SourceIsIpv6,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+SourceIp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+SourceHostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+SourcePort,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+SourcePortName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+DestinationIsIpv6,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+DestinationIp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+DestinationHostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+DestinationPort,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+DestinationPortName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+ImageLoaded,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+FileVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Description,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Product,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Company,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+OriginalFileName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Hashes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Signed,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+Signature,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+SignatureStatus,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
+TaskName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
+UserContext,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
 EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,,
 ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,,
 Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,,
@@ -530,271 +442,13 @@ CallerProcessID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-
 TransitedServices,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,,
 SourceNetworkAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,,
 SourcePort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-ServiceFileName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-ServiceType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-ServiceStartType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-ServiceAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0072_4755_security_enabled_universal_group_was_changed,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-Operation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-RuleName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-Filter,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
-Hostname,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
-Daemon,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
-Program,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
-ClientIP,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
-PID,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
-Message,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
-State,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-ShareName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-ShareLocalPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-TaskName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-TaskContent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
-EventID,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,,
-Computer,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-MemberName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-MemberSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-ServiceSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-TicketOptions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-TicketEncryptionType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-PreAuthType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-CertIssuerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-CertSerialNumber,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-CertThumbprint,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-ProductName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-ProductVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-Unused,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-RuleID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-ASR_RuleID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-DetectionTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-Path,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-ProcessName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-SecurityintelligenceVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-EngineVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
-ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
-UMDFHostDeviceRequest,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
-lifetime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
-instance,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,,
-timestamp,OS Logs,Unix,generic,syslog,syslog,DN_0092_unix_generic_syslog,,
-uid,OS Logs,Unix,generic,syslog,syslog,DN_0092_unix_generic_syslog,,
-message,OS Logs,Unix,generic,syslog,syslog,DN_0092_unix_generic_syslog,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-Device,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-TransactionId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-ObjectValueName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-OperationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-OldValueType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-OldValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-NewValueType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-NewValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-TargetObject,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-Details,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-PackageName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-Workstation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-SourceProcessGUID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-SourceProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-SourceThreadId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-SourceImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-TargetProcessGUID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-TargetProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-TargetImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-GrantedAccess,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-CallTrace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
-ContextInfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
-UserData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
-Payload,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,,
-EventID,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
-ComputerName,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
-Computer,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
-Hostname,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
-EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
-Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
-Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
-SubjectUserName,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
-SubjectDomainName,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
-Channel,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-DisplayName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-UserPrincipalName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-HomeDirectory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-HomePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-ScriptPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-ProfilePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-UserWorkstations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-PasswordLastSet,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-AccountExpires,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-PrimaryGroupId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-AllowedToDelegateTo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-OldUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-NewUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-UserAccountControl,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-UserParameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-LogonHours,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
-ResourceAttributes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,,
 type,OS Logs,Linux,SYSCALL,auditd,auditd,DN_0056_linux_auditd_syscall,,
 msg,OS Logs,Linux,SYSCALL,auditd,auditd,DN_0056_linux_auditd_syscall,,
 arch,OS Logs,Linux,SYSCALL,auditd,auditd,DN_0056_linux_auditd_syscall,,
@@ -826,47 +480,71 @@ key,OS Logs,Linux,SYSCALL,auditd,auditd,DN_0056_linux_auditd_syscall,,
 EventID,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,,
 Hostname,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,,
 Computer,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-ProcessID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-Application,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-Direction,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-SourceAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-SourcePort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-DestAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-DestPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-Protocol,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-FilterRTID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-LayerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-LayerRTID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-RemoteUserID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-RemoteMachineID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,,
-EventID,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-Hostname,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-Computer,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingApplicationName,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingModuleName,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-ExceptionCode,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultOffset,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingProcessId,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingApplicationStartTime,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingApplicationPath,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingModulePath,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-ReportId,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingPackageFullName,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-FaultingPackage-relativeApplicationID,OS Logs,Windows,Windows Log,Application,Application Error,DN_0044_1000_application_crashed,,
-EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,,
-Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,,
-Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,,
-type,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
-msg,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
-argc,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
-a0,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
-a1,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
-a2,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
-a3,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0038_1102_the_audit_log_was_cleared,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+DisplayName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+UserPrincipalName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+HomeDirectory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+HomePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+ScriptPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+ProfilePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+UserWorkstations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+PasswordLastSet,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+AccountExpires,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+PrimaryGroupId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+AllowedToDelegateTo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+OldUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+NewUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+UserAccountControl,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+UserParameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+LogonHours,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+ShareName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+ShareLocalPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+RelativeTargetName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+AccessReason,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+Namespace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+ESS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+PossibleCause,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+CreatorSID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+EventNamespace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+Query,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+QueryLanguage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
+EventFilter,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,,
 EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,,
 Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,,
 Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,,
@@ -878,120 +556,42 @@ QueryName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmo
 QueryStatus,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,,
 QueryResults,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,,
 Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-TargetFilename,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-CreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-PreviousCreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-ImageLoaded,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-FileVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Description,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Product,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Company,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-OriginalFileName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Hashes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Signed,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-Signature,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-SignatureStatus,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
-TargetObject,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+timestamp,OS Logs,Unix,generic,syslog,syslog,DN_0092_unix_generic_syslog,,
+uid,OS Logs,Unix,generic,syslog,syslog,DN_0092_unix_generic_syslog,,
+message,OS Logs,Unix,generic,syslog,syslog,DN_0092_unix_generic_syslog,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+TargetFilename,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+CreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,,
+EventID,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
+ComputerName,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
+Computer,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
+Hostname,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+ProductName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+ProductVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+Unused,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+RuleID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+ASR_RuleID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+DetectionTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+Path,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+ProcessName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+SecurityintelligenceVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
+EngineVersion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender,DN_0051_1121_attack_surface_reduction_blocking_mode_event,,
 EventID,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,,
 Computer,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,,
 Hostname,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,,
 param1,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,,
 param2,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-CategoryId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-SubcategoryId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-SubcategoryGuid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-AuditPolicyChanges,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-Operation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-EventNamespace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-Name,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-Query,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-RuleName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-TransactionId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-Properties,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-RestrictedSidCount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
-TaskName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
-UserContext,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
-ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
-UMDFHostDeviceArrivalBegin,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
-lifetime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
-instance,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-MemberName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-MemberSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-MessageNumber,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-MessageTotal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-ScriptBlockText,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-ScriptBlockId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
-Path,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,,
 EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,,
 Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,,
 Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,,
@@ -1023,6 +623,284 @@ Description,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sys
 Product,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,,
 Company,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,,
 CurrentDirectory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+MemberName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+MemberSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0068_4728_member_was_added_to_security_enabled_global_group,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
+State,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
+ComputerName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
+UMDFHostDeviceRequest,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
+lifetime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
+instance,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+LogonType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+LogonProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+AuthenticationPackageName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+WorkstationName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+LogonGuid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TransmittedServices,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+LmPackageName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+KeyLength,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+ImpersonationLevel,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+RestrictedAdminMode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetOutboundUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetOutboundDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+VirtualAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+TargetLinkedLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+ElevatedToken,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+ShareName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+ShareLocalPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,,
+EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
+Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
+Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
+SubjectUserName,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
+SubjectDomainName,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
+Channel,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+TaskName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+TaskContent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+MemberName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+MemberSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0073_4756_member_was_added_to_a_security_enabled_universal_group,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+PipeName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
+EventID,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,,
+Computer,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,,
+Hostname,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+CategoryId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+SubcategoryId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+SubcategoryGuid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+AuditPolicyChanges,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,,
+Hostname,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
+Daemon,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
+Program,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
+ClientIP,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
+PID,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
+Message,OS Logs,Linux,vsftpd.log,vsftpd.log,vsftpd,DN_0098_linux_vsftpd_log,,
+type,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+msg,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+argc,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+a0,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+a1,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+a2,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+a3,OS Logs,Linux,EXECVE,auditd,auditd,DN_0054_linux_auditd_execve,,
+type,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+msg,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+item,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+name,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+inode,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+dev,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+mode,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+ouid,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+ogid,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+rdev,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+obj,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+objtype,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+cap_fp,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+cap_fi,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+cap_fe,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+cap_fver,OS Logs,Linux,PATH,auditd,auditd,DN_0055_linux_auditd_read_access_to_file,,
+EventID,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+Hostname,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+Computer,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+ProcessID,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+ServiceName,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+ImagePath,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+ServiceFileName,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+ServiceType,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+StartType,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+AccountName,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+UserSid,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,,
+EventID,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
+ComputerName,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
+Computer,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
+Hostname,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+NewProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+NewProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+TokenElevationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+ProcessPid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+TargetUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+TargetLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+ParentProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+MandatoryLabel,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+Image,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+TransactionId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+AccessReason,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+RestrictedSidCount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+ResourceAttributes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+Device,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,,
+date,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+record_type,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+client_ip,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+src_ip,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+destination_ip,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+dst_ip,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+ttl,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+domain_name,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+query,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+dns_query,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+answer,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+parent_domain,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+question_length,DNS Logs,Linux,queries log,passivedns,Passive DNS,DN_0100_Passive_DNS_log,,
+Hostname,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
+UserName,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
+Daemon,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
+Program,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
+Message,OS Logs,Linux,auth,auth.log,sshd,DN_0094_linux_sshd_log,,
+EventID,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
+ComputerName,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
+Computer,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Application,Microsoft-Windows-Backup,DN_0039_524_system_catalog_has_been_deleted,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+PreviousTime,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+NewTime,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+CallerPID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+ProcessName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+ClientLUID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+ClientUserName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+ClientDomainName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+MechanismOID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,,
+Hostname,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
+Daemon,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
+Program,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
+Message,OS Logs,Linux,daemon,daemon.log,many,DN_0097_linux_daemon_log,,
 EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,,
 Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,,
 Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,,
@@ -1032,6 +910,146 @@ ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sys
 ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,,
 PipeName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,,
 Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+TargetObject,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+NewName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+PackageName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+Workstation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,,
+EventID,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,,
+Computer,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,,
+Hostname,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+Operation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+RuleName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+Filter,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+Operation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+Name,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+Type,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+Destination,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+RuleName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,,
+EventID,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,,
+Computer,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+DisplayName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+UserPrincipalName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+HomeDirectory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+HomePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+ScriptPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+ProfilePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+UserWorkstations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+PasswordLastSet,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+AccountExpires,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+PrimaryGroupId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+AllowedToDelegateTo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+OldUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+NewUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+UserAccountControl,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+UserParameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+LogonHours,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+ObjectType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+ObjectName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+TransactionId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+AccessList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+AccessMask,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+Properties,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+RestrictedSidCount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+TargetObject,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+OpCorrelationID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+AppCorrelationID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+DSName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+DSType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+ObjectDN,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+ObjectGUID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+ObjectClass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+AttributeLDAPDisplayName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+AttributeSyntaxOID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+AttributeValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+OperationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+ObjectServer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+HandleId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+TransactionId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
+PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,,
 EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,,
 ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,,
 Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,,
@@ -1050,112 +1068,97 @@ CallerProcessID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-
 TransitedServices,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,,
 SourceNetworkAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,,
 SourcePort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0071_4737_security_enabled_global_group_was_changed,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-PrivilegeList,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-SamAccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-DisplayName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-UserPrincipalName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-HomeDirectory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-HomePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-ScriptPath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-ProfilePath,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-UserWorkstations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-PasswordLastSet,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-AccountExpires,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-PrimaryGroupId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-AllowedToDelegateTo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-OldUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-NewUacValue,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-UserAccountControl,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-UserParameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-SidHistory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-LogonHours,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-TargetObject,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-NewName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,,
-EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-EventType,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-PipeName,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,,
-EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-SubjectUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-SubjectUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-SubjectDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-SubjectLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-NewProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-ProcessId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-NewProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-ProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-NewProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-Image,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-TokenElevationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-CommandLine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-ProcessCommandLine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-ProcesssCommandLine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-TargetUserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-TargetLogonId,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-ParentProcessName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-ParentImage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-MandatoryLabel,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,,
-EventID,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,,
-Hostname,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,,
-Computer,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,,
-Hostname,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Signature,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-AlertTitle,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Category,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Severity,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Sha1,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-FileName,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-FilePath,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-IpAddress,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-UserName,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-UserDomain,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-FileHash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Hashes,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Imphash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Sha256hash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Sha1hash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
-Md5hash,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,,
+Hostname,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+UserName,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+Daemon,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+Message,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_service,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_user,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_unix,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_tty,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_ruser,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_rhost,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_type,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_authtok,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+pam_message,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+uid,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+logname,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+uid,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+euid,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+tty,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+ruser,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+rhost,OS Logs,Linux,auth,auth.log,pam,DN_0095_linux_auth_pam_log,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+SourceProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+SourceProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+SourceImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+TargetProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+TargetProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+TargetImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+NewThreadId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+StartAddress,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+StartModule,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+StartFunction,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+TargetDomainName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+ServiceSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+TicketOptions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+TicketEncryptionType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+PreAuthType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+CertIssuerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+CertSerialNumber,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+CertThumbprint,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,,
+timestamp,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
+hostname,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
+client,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
+uri,OS Logs,Linux,modsecurity,modsecurity,modsecurity,DN_0091_linux_modsecurity_log,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+TargetUserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+TargetSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+TicketOptions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+Status,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+PreAuthType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+IpAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+IpPort,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+CertIssuerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+CertSerialNumber,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+CertThumbprint,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,,
+date,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+record_type,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+client_ip,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+src_ip,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+domain_name,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+query,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+dns_query,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+destination_ip,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+dst_ip,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+parent_domain,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+question_length,DNS Logs,Linux,queries log,queries_log,BIND,DN_0099_Bind_DNS_query,,
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+ImageLoaded,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Hashes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Sha256hash,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Md5hash,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Signed,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+Signature,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
+SignatureStatus,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,,
 EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,,
 ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,,
 Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,,
@@ -1173,52 +1176,27 @@ SourceAccount,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Au
 AccountName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,,
 AdditionalInformation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,,
 Privileges,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,,
-event_data.ParentIntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentUser,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentOfParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
-ParentIntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
-ParentUser,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
-ParentOfParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+EventID,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+Computer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+Hostname,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+UtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+ProcessGuid,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+ProcessId,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+Image,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+TargetFilename,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+CreationUtcTime,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+Hash,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,,
+EventID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+ComputerName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+Computer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+Hostname,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+UserName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+UserID,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+UserSid,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+ServiceName,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+PreAuthenticationType,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+FailureCode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
+ClientAddress,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,,
 event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
@@ -1235,6 +1213,14 @@ IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-
 User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
@@ -1243,14 +1229,38 @@ IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-
 User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
@@ -1267,11 +1277,27 @@ IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-
 User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
 ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
-ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+IntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+CommandLine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+ParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentIntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentUser,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
+event_data.ParentOfParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
+ParentIntegrityLevel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
+ParentUser,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
+ParentOfParentImage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info
+event_data.TargetFilePathFingerprint,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint,
+TargetFilePathFingerprint,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,EN_0004_enrich_sysmon_event_id_11_with_TargetFilePathFingerprint,