valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-07 01:55:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Yugoslavskiy Daniil 2019-02-06 23:46:07 +01:00
commit b19867ce4d
65 changed files with 2764 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Atomic_Threat_Coverage/Data_Needed/DN_0001_windows_process_creation_4688.md → Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md
View File

@ -1,4 +1,4 @@
| Title | DN_0001_windows_process_creation_4688 |
| Title | DN_0001_4688_windows_process_creation |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, not including command line. |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
@ -7,7 +7,7 @@
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>ParentImage</li><li>ParentProcessPid</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>ParentImage</li><li>ParentProcessPid</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
## Log Samples

5
Atomic_Threat_Coverage/Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md → Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md
View File

@ -1,4 +1,4 @@
| Title | DN_0002_windows_process_creation_with_commandline_4688 |
| Title | DN_0002_4688_windows_process_creation_with_commandline |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line. |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
@ -7,7 +7,7 @@
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ProcesssCommandLine</li><li>ParentProcessPid</li><li>ParentImage</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ProcesssCommandLine</li><li>ParentProcessPid</li><li>ParentImage</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
## Log Samples
@ -49,6 +49,7 @@
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>
```

4
Atomic_Threat_Coverage/Data_Needed/DN_0003_windows_sysmon_process_creation_1.md → Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md
View File

@ -1,4 +1,4 @@
| Title | DN_0003_windows_sysmon_process_creation_1 |
| Title | DN_0003_1_windows_sysmon_process_creation |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line. |
| Logging Policy | <ul><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
@ -7,7 +7,7 @@
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>ProcessGuid</li><li>ProcessId</li><li>ProcessName</li><li>CommandLine</li><li>LogonGuid</li><li>LogonId</li><li>TerminalSessionid</li><li>IntegrityLevel</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li><li>Image</li><li>ParentImage</li><li>ParentProcessGuid</li><li>ParentProcessId</li><li>ParentProcessName</li><li>ParentCommandLine</li></ul> |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>ProcessGuid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>CommandLine</li><li>LogonGuid</li><li>LogonId</li><li>TerminalSessionid</li><li>IntegrityLevel</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li><li>Image</li><li>ParentImage</li><li>ParentProcessGuid</li><li>ParentProcessId</li><li>ParentProcessName</li><li>ParentCommandLine</li></ul> |
## Log Samples

4
Atomic_Threat_Coverage/Data_Needed/DN_0004_windows_account_logon_4624.md → Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md
View File

@ -1,4 +1,4 @@
| Title | DN_0004_windows_account_logon_4624 |
| Title | DN_0004_4624_windows_account_logon |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An account was successfully logged on. |
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
@ -7,7 +7,7 @@
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>LogonGuid</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li><li>ImpersonationLevel</li><li>RestrictedAdminMode</li><li>TargetOutboundUserName</li><li>TargetOutboundDomainName</li><li>VirtualAccount</li><li>TargetLinkedLogonId</li><li>ElevatedToken</li></ul> |
| Fields | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>LogonGuid</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li><li>ImpersonationLevel</li><li>RestrictedAdminMode</li><li>TargetOutboundUserName</li><li>TargetOutboundDomainName</li><li>VirtualAccount</li><li>TargetLinkedLogonId</li><li>ElevatedToken</li></ul> |
## Log Samples

48
Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0005_7045_windows_service_insatalled |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A service was installed in the system. |
| Logging Policy | <ul><li>[N](../Logging_Policies/N.md)</li><li>[o](../Logging_Policies/o.md)</li><li>[n](../Logging_Policies/n.md)</li><li>[e](../Logging_Policies/e.md)</li></ul> |
| References | <ul><li>[N](N)</li><li>[o](o)</li><li>[n](n)</li><li>[e](e)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Service Control Manager |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>ServiceName</li><li>ImagePath</li><li>ServiceFileName</li><li>ServiceType</li><li>StartType</li><li>AccountName</li><li>UserSid</li><li>Computer</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-07-02T15:48:56.256752900Z" />
<EventRecordID>762</EventRecordID>
<Correlation />
<Execution ProcessID="568" ThreadID="1792" />
<Channel>System</Channel>
<Computer>DESKTOP</Computer>
<Security UserID="S-1-5-21-2073602604-586167410-2329295167-1001" />
</System>
- <EventData>
<Data Name="ServiceName">sshd</Data>
<Data Name="ImagePath">C:\Program Files\OpenSSH\sshd.exe</Data>
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSystem</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Explicit modification of file creation timestamp by a process |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>PreviousCreationUtcTime</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>2</EventID>
<Version>4</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-10T15:08:56.961102400Z" />
<EventRecordID>6994</EventRecordID>
<Correlation />
<Execution ProcessID="2940" ThreadID="3576" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-10 15:08:56.954</Data>
<Data Name="ProcessGuid">{9683FBB1-8164-5C0E-0000-00104B532800}</Data>
<Data Name="ProcessId">2788</Data>
<Data Name="Image">C:\Users\user1\AppData\Local\Temp\chocolatey\wireshark\2.6.5\Wireshark-win64-2.6.5.exe</Data>
<Data Name="TargetFilename">C:\Program Files\Wireshark\user-guide.chm</Data>
<Data Name="CreationUtcTime">2018-11-28 18:37:08.000</Data>
<Data Name="PreviousCreationUtcTime">2018-12-10 15:08:56.486</Data>
</EventData>
</Event>
```

61
Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md Normal file
View File

@ -0,0 +1,61 @@
| Title | DN_0007_3_windows_sysmon_network_connection |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | TCP/UDP connections made by a process |
| Logging Policy | <ul><li>[LP_0005_windows_sysmon_network_connection](../Logging_Policies/LP_0005_windows_sysmon_network_connection.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>User</li><li>Protocol</li><li>Initiated</li><li>SourceIsIpv6</li><li>SourceIp</li><li>SourceHostname</li><li>SourcePort</li><li>SourcePortName</li><li>DestinationIsIpv6</li><li>DestinationIp</li><li>DestinationHostname</li><li>DestinationPort</li><li>DestinationPortName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:29.384924000Z" />
<EventRecordID>16000</EventRecordID>
<Correlation />
<Execution ProcessID="1828" ThreadID="2764" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>ATC-WIN-7.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:17.411</Data>
<Data Name="ProcessGuid">{A96EFBF1-A8C9-5C59-0000-0010D274D300}</Data>
<Data Name="ProcessId">3900</Data>
<Data Name="Image">C:\Users\user1\Desktop\SysinternalsSuite\PsExec.exe</Data>
<Data Name="User">ATC-WIN-7\user1</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">10.0.0.111</Data>
<Data Name="SourceHostname">ATC-WIN-7.atc.local</Data>
<Data Name="SourcePort">49603</Data>
<Data Name="SourcePortName" />
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">10.0.0.103</Data>
<Data Name="DestinationHostname">ATC-WIN-10</Data>
<Data Name="DestinationPort">135</Data>
<Data Name="DestinationPortName">epmap</Data>
</EventData>
</Event>
```

47
Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md Normal file
View File

@ -0,0 +1,47 @@
| Title | DN_0007_windows_sysmon_sysmon_service_state_changed_4 |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Sysmon service changed status |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>State</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:11:20.289486200Z" />
<EventRecordID>45818</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2019-02-05 13:11:20.281</Data>
<Data Name="State">Started</Data>
<Data Name="Version">8.00</Data>
<Data Name="SchemaVersion">4.10</Data>
</EventData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0009_5_windows_sysmon_process_terminated |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Process has been terminated |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:38.833314100Z" />
<EventRecordID>57994</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:38.821</Data>
<Data Name="ProcessGuid">{9683FBB1-A8D6-5C59-0000-001009797000}</Data>
<Data Name="ProcessId">2440</Data>
<Data Name="Image">C:\Windows\PSEXESVC.exe</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0010_6_windows_sysmon_driver_loaded |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ImageLoaded</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

52
Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md Normal file
View File

@ -0,0 +1,52 @@
| Title | DN_0011_7_windows_sysmon_image_loaded |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The image loaded event logs when a module is loaded in a specific process. |
| Logging Policy | <ul><li>[LP_0006_windows_sysmon_image_loaded](../Logging_Policies/LP_0006_windows_sysmon_image_loaded.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>ImageLoaded</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:45:16.663226600Z" />
<EventRecordID>16636</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
<Data Name="Image">C:\Windows\System32\notepad.exe</Data>
<Data Name="ImageLoaded">C:\Windows\System32\ole32.dll</Data>
<Data Name="Hashes">SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

54
Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md Normal file
View File

@ -0,0 +1,54 @@
| Title | DN_0012_8_windows_sysmon_CreateRemoteThread |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The CreateRemoteThread event detects when a process creates a thread in another process. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>SourceProcessGuid</li><li>SourceProcessId</li><li>SourceImage</li><li>TargetProcessGuid</li><li>TargetProcessId</li><li>TargetImage</li><li>NewThreadId</li><li>StartAddress</li><li>StartModule</li><li>StartFunction</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>
```

48
Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md Normal file
View File

@ -0,0 +1,48 @@
| Title | DN_0013_9_windows_sysmon_RawAccessRead |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>Device</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
<EventRecordID>1944686</EventRecordID>
<Correlation />
<Execution ProcessID="19572" ThreadID="21888" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>
```

54
Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md Normal file
View File

@ -0,0 +1,54 @@
| Title | DN_0014_10_windows_sysmon_ProcessAccess |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process. |
| Logging Policy | <ul><li>[LP_0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>SourceProcessGUID</li><li>SourceProcessId</li><li>SourceThreadId</li><li>SourceImage</li><li>TargetProcessGUID</li><li>TargetProcessId</li><li>TargetImage</li><li>GrantedAccess</li><li>CallTrace</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T14:28:35.216091900Z" />
<EventRecordID>42444</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 14:28:35.212</Data>
<Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data>
<Data Name="SourceProcessId">6916</Data>
<Data Name="SourceThreadId">8080</Data>
<Data Name="SourceImage">C:\Users\user1\Desktop\mimi\x64\mimikatz.exe</Data>
<Data Name="TargetProcessGUID">{9683FBB1-9A52-5C51-0000-0010C3610000}</Data>
<Data Name="TargetProcessId">672</Data>
<Data Name="TargetImage">C:\windows\system32\lsass.exe</Data>
<Data Name="GrantedAccess">0x1010</Data>
<Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0015_11_windows_sysmon_FileCreate |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection. |
| Logging Policy | <ul><li>[LP_0008_windows_sysmon_FileCreate](../Logging_Policies/LP_0008_windows_sysmon_FileCreate.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T15:08:51.296611700Z" />
<EventRecordID>42528</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 15:08:51.287</Data>
<Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data>
<Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0016_12_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:05:28.027841800Z" />
<EventRecordID>42938</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0016_13_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:06:11.698273500Z" />
<EventRecordID>42943</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2019-01-30 17:06:11.673</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data>
<Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0018_14_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0019_15_windows_sysmon_FileCreateStreamHash |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>Hash</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0020_17_windows_sysmon_PipeEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0021_18_windows_sysmon_PipeEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs when a named pipe connection is made between a client and a server. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>18</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.457379300Z" />
<EventRecordID>46620</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>tdl-win-10.tdl.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.455</Data>
<Data Name="ProcessGuid">{9683FBB1-8B5F-5C59-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="PipeName">\PSEXESVC-TDL-WIN-7-2728-stdin</Data>
<Data Name="Image">System</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0022_19_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>Operation</li><li>User</li><li>EventNamespace</li><li>Name</li><li>Query</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md Normal file
View File

@ -0,0 +1,51 @@
| Title | DN_0023_20_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs the registration of WMI consumers, recording the consumer name, log, and destination. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>Operation</li><li>User</li><li>Name</li><li>Type</li><li>Destination</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>
```

50
Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md Normal file
View File

@ -0,0 +1,50 @@
| Title | DN_0024_21_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | When a consumer binds to a filter, this event logs the consumer name and filter path. |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>Operation</li><li>User</li><li>Consumer</li><li>Filter</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>
```

2
Atomic_Threat_Coverage/Detection_Rules/apt_hurricane_panda.md
View File

@ -3,7 +3,7 @@
| Description | Detects Hurricane Panda Activity |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1068](https://attack.mitre.org/tactics/T1068)</li></ul> |
| Data Needed | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | high |
| False Positives | <ul><li>Unknown</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sigma_win_admin_rdp_login.md
View File

@ -3,7 +3,7 @@
| Description | Detect remote login by Administrator user depending on internal pattern |
| ATT&amp;CK Tactic | <ul><li>[TA0008: Lateral Movement](https://attack.mitre.org/tactics/TA0008)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1078](https://attack.mitre.org/tactics/T1078)</li></ul> |
| Data Needed | <ul><li>[DN_0004_windows_account_logon_4624](../Data_Needed/DN_0004_windows_account_logon_4624.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | low |
| False Positives | <ul><li>Legitimate administrative activity</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/sigma_win_susp_run_locations.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process run from unusual locations |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036](https://attack.mitre.org/tactics/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1036](../Triggering/T1036.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

85
Atomic_Threat_Coverage/Detection_Rules/win_abusing_impersonation_service_account_to_system.md Normal file
View File

@ -0,0 +1,85 @@
| Title | Abusing impersonation. Service account > SYSTEM |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detection of processes spawned under SYSTEM by processes started with Network or Local service accounts |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1134](https://attack.mitre.org/tactics/T1134)</li></ul> |
| Data Needed | <ul><li>[[]](../Data_Needed/[].md)</li><li>[['DN_0003_1_windows_sysmon_process_creation']](../Data_Needed/['DN_0003_1_windows_sysmon_process_creation'].md)</li><li>[['DN_0003_1_windows_sysmon_process_creation']](../Data_Needed/['DN_0003_1_windows_sysmon_process_creation'].md)</li></ul> |
| Trigger | <ul><li>[T1134](../Triggering/T1134.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Todo</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
| Author | Teymur Kheirkhabarov |
## Detection Rules
### Sigma rule
```
title: Abusing impersonation. Service account > SYSTEM
description: Detection of processes spawned under SYSTEM by processes started with Network or Local service accounts
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1134
status: experimental
author: Teymur Kheirkhabarov
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
User: "NT AUTHORITY\\SYSTEM"
ParentUser:
- "NT AUTHORITY\\NETWORK SERVICE"
- "NT AUTHORITY\\LOCAL SERVICE"
selection2:
CommandLine:
- "*rundll32*"
selection3:
CommandLine:
- "*DavSetCookie*"
condition: selection1 and not (selection2 and selection3)
falsepositives:
- Todo
level: critical
enrichment:
- EN_0001_cache_sysmon_event_id_1_info
- EN_0002_enrich_sysmon_event_id_1_with_parent_info
```
### Kibana query
```
((EventID:"1" AND User:"NT AUTHORITY\\\\SYSTEM" AND ParentUser:("NT AUTHORITY\\\\NETWORK SERVICE" "NT AUTHORITY\\\\LOCAL SERVICE")) AND NOT ((CommandLine:("*rundll32*") AND CommandLine:("*DavSetCookie*"))))
```
### X-Pack Watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Abusing-impersonation.-Service-account-\xe2\x80\x93>-SYSTEM <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "((EventID:\\"1\\" AND User:\\"NT AUTHORITY\\\\\\\\SYSTEM\\" AND ParentUser:(\\"NT AUTHORITY\\\\\\\\NETWORK SERVICE\\" \\"NT AUTHORITY\\\\\\\\LOCAL SERVICE\\")) AND NOT ((CommandLine:(\\"*rundll32*\\") AND CommandLine:(\\"*DavSetCookie*\\"))))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Abusing impersonation. Service account \\u2013> SYSTEM\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### Graylog
```
((EventID:"1" AND User:"NT AUTHORITY\\\\SYSTEM" AND ParentUser:("NT AUTHORITY\\\\NETWORK SERVICE" "NT AUTHORITY\\\\LOCAL SERVICE")) AND NOT ((CommandLine:("*rundll32*") AND CommandLine:("*DavSetCookie*"))))
```

77
Atomic_Threat_Coverage/Detection_Rules/win_kernel_and_3rd_party_drivers_exploits_token_stealing.md Normal file
View File

@ -0,0 +1,77 @@
| Title | Windows Kernel and 3rd-party drivers exploits. Token stealing |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level |
| ATT&amp;CK Tactic | <ul><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1068](https://attack.mitre.org/tactics/T1068)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | critical |
| False Positives | <ul><li>Todo</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
| Author | Teymur Kheirkhabarov |
## Detection Rules
### Sigma rule
```
title: Windows Kernel and 3rd-party drivers exploits. Token stealing
description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.privilege_escalation
- attack.t1068
status: experimental
author: Teymur Kheirkhabarov
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentIntegrityLevel: Medium
IntegrityLevel: System
User: "NT AUTHORITY\\SYSTEM"
condition: selection
falsepositives:
- Todo
level: critical
enrichment:
- EN_0001_cache_sysmon_event_id_1_info
- EN_0002_enrich_sysmon_event_id_1_with_parent_info
```
### Kibana query
```
(EventID:"1" AND ParentIntegrityLevel:"Medium" AND IntegrityLevel:"System" AND User:"NT AUTHORITY\\\\SYSTEM")
```
### X-Pack Watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Windows-Kernel-and-3rd-party-drivers-exploits.-Token-stealing <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"1\\" AND ParentIntegrityLevel:\\"Medium\\" AND IntegrityLevel:\\"System\\" AND User:\\"NT AUTHORITY\\\\\\\\SYSTEM\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Windows Kernel and 3rd-party drivers exploits. Token stealing\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### Graylog
```
(EventID:"1" AND ParentIntegrityLevel:"Medium" AND IntegrityLevel:"System" AND User:"NT AUTHORITY\\\\SYSTEM")
```

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_cli_escape.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process that use escape characters |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1140](https://attack.mitre.org/tactics/T1140)</li></ul> |
| Data Needed | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1140](../Triggering/T1140.md)</li></ul> |
| Severity Level | low |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects a set of commands often used in recon stages by different attack groups |
| ATT&amp;CK Tactic | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1073](https://attack.mitre.org/tactics/T1073)</li><li>[T1012](https://attack.mitre.org/tactics/T1012)</li></ul> |
| Data Needed | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1012](../Triggering/T1012.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_iss_module_install.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious IIS native-code module installations via command line |
| ATT&amp;CK Tactic | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1100](https://attack.mitre.org/tactics/T1100)</li></ul> |
| Data Needed | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | medium |
| False Positives | <ul><li>Unknown as it may vary from organisation to arganisation how admins use to install IIS modules</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_ntdsutil.md
View File

@ -3,7 +3,7 @@
| Description | Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003](https://attack.mitre.org/tactics/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1003](../Triggering/T1003.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>NTDS maintenance</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_powershell_hidden_b64_cmd.md
View File

@ -3,7 +3,7 @@
| Description | Detects base64 encoded strings used in hidden malicious PowerShell command lines |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1086](https://attack.mitre.org/tactics/T1086)</li></ul> |
| Data Needed | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1086](../Triggering/T1086.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Penetration tests</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_run_locations.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process run from unusual locations |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1036](https://attack.mitre.org/tactics/T1036)</li></ul> |
| Data Needed | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1036](../Triggering/T1036.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_rundll32_activity.md
View File

@ -3,7 +3,7 @@
| Description | Detects suspicious process related to rundll32 based on arguments |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1085](https://attack.mitre.org/tactics/T1085)</li></ul> |
| Data Needed | <ul><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1085](../Triggering/T1085.md)</li></ul> |
| Severity Level | |
| False Positives | <ul><li>False positives depend on scripts and administrative tools used in the monitored environment</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_sysvol_access.md
View File

@ -3,7 +3,7 @@
| Description | Detects Access to Domain Group Policies stored in SYSVOL |
| ATT&amp;CK Tactic | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1003](https://attack.mitre.org/tactics/T1003)</li></ul> |
| Data Needed | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1003](../Triggering/T1003.md)</li></ul> |
| Severity Level | medium |
| False Positives | <ul><li>administrative activity</li></ul> |

78
Atomic_Threat_Coverage/Detection_Rules/win_token_swapping_using_mimikatz_driver.md Normal file
View File

@ -0,0 +1,78 @@
| Title | Token swapping using Mimikatz driver |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detection of child processes spawned under SYSTEM by process with High integrity level |
| ATT&amp;CK Tactic | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1134](https://attack.mitre.org/tactics/T1134)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1134](../Triggering/T1134.md)</li></ul> |
| Severity Level | critical |
| False Positives | <ul><li>Todo</li></ul> |
| Development Status | experimental |
| References | <ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
| Author | Teymur Kheirkhabarov |
## Detection Rules
### Sigma rule
```
title: Token swapping using Mimikatz driver
description: Detection of child processes spawned under SYSTEM by process with High integrity level
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1134
status: experimental
author: Teymur Kheirkhabarov
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentIntegrityLevel: High
IntegrityLevel: System
User: "NT AUTHORITY\\SYSTEM"
condition: selection
falsepositives:
- Todo
level: critical
enrichment:
- EN_0001_cache_sysmon_event_id_1_info
- EN_0002_enrich_sysmon_event_id_1_with_parent_info
```
### Kibana query
```
(EventID:"1" AND ParentIntegrityLevel:"High" AND IntegrityLevel:"System" AND User:"NT AUTHORITY\\\\SYSTEM")
```
### X-Pack Watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Token-swapping-using-Mimikatz-driver <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"1\\" AND ParentIntegrityLevel:\\"High\\" AND IntegrityLevel:\\"System\\" AND User:\\"NT AUTHORITY\\\\\\\\SYSTEM\\")",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Token swapping using Mimikatz driver\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### Graylog
```
(EventID:"1" AND ParentIntegrityLevel:"High" AND IntegrityLevel:"System" AND User:"NT AUTHORITY\\\\SYSTEM")
```

2
Atomic_Threat_Coverage/Detection_Rules/win_wmi_persistence_script_event_consumer.md
View File

@ -3,7 +3,7 @@
| Description | Detects WMI script event consumers |
| ATT&amp;CK Tactic | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| ATT&amp;CK Technique | <ul><li>[T1047](https://attack.mitre.org/tactics/T1047)</li></ul> |
| Data Needed | <ul><li>[DN_0003_windows_sysmon_process_creation_1](../Data_Needed/DN_0003_windows_sysmon_process_creation_1.md)</li><li>[DN_0002_windows_process_creation_with_commandline_4688](../Data_Needed/DN_0002_windows_process_creation_with_commandline_4688.md)</li><li>[DN_0001_windows_process_creation_4688](../Data_Needed/DN_0001_windows_process_creation_4688.md)</li></ul> |
| Data Needed | <ul></ul> |
| Trigger | <ul><li>[T1047](../Triggering/T1047.md)</li></ul> |
| Severity Level | high |
| False Positives | <ul><li>Legitimate event consumers</li></ul> |

17
Atomic_Threat_Coverage/Logging_Policies/LP_0005_windows_sysmon_network_connection.md Normal file
View File

@ -0,0 +1,17 @@
| Title | LP_0005_windows_sysmon_network_connection |
|:---------------|:--------------------------------------------------------------------------------|
| Description | The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status. |
| Default | Not configured |
| Event Volume | High |
| EventID | <ul><li>3</li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
## Configuration
Sysmon event id 3 is disabled by default.
It can be enabled by specyfying -n option
However due to high level of produced logs it should be filtred with configuration file
Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

17
Atomic_Threat_Coverage/Logging_Policies/LP_0006_windows_sysmon_image_loaded.md Normal file
View File

@ -0,0 +1,17 @@
| Title | LP_0006_windows_sysmon_image_loaded |
|:---------------|:--------------------------------------------------------------------------------|
| Description | The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events. |
| Default | Not configured |
| Event Volume | High |
| EventID | <ul><li>7</li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
## Configuration
Sysmon event id 7 is disabled by default.
It can be enabled by specyfying -l option
However due to high level of produced logs it should be filtred with configuration file
Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

26
Atomic_Threat_Coverage/Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md Normal file
View File

@ -0,0 +1,26 @@
| Title | LP_0007_windows_sysmon_ProcessAccess |
|:---------------|:--------------------------------------------------------------------------------|
| Description | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses. |
| Default | Not configured |
| Event Volume | High |
| EventID | <ul><li>10</li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
## Configuration
Sysmon event id 10 is disabled by default.
It can be enabled by specyfying configuration
However due to high level of produced logs it should be filtred with configuration file
Sample configuration:
```
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<SourceImage condition="is">C:\windows\system32\wbem\wmiprvse.exe</SourceImage>
<SourceImage condition="is">C:\windows\system32\svchost.exe</TargetImage>
</ProcessAccess>
```

92
Atomic_Threat_Coverage/Logging_Policies/LP_0008_windows_sysmon_FileCreate.md Normal file
View File

@ -0,0 +1,92 @@
| Title | LP_0008_windows_sysmon_FileCreate |
|:---------------|:--------------------------------------------------------------------------------|
| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection. |
| Default | Partially (Other) |
| Event Volume | High |
| EventID | <ul><li>11</li></ul> |
| References | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)</li></ul> |
## Configuration
Sysmon event id 11 is enabled by default however default configuration might not be sufficient.
Sample configuration providing much better visibility might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
```
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
<TargetFilename condition="contains">\Startup\</TargetFilename> <!--Microsoft:Office: Changes to user's auto-launched files and shortcuts-->
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
<TargetFilename condition="end with">.chm</TargetFilename>
<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
<TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
<TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
<TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
<TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
<TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
<TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
<TargetFilename condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
<!--Windows application compatibility-->
<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
<TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Microsoft:Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->
<!--Exploitable file names-->
<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
</FileCreate>
<FileCreate onmatch="exclude">
<!--SECTION: Microsoft-->
<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
<!--SECTION: Microsoft:Office-->
<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
<!--SECTION: Microsoft:Office:Click2Run-->
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
<!--SECTION: Microsoft:Windows-->
<Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Microsoft:Windows: WMI Performance updates-->
<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
<TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
<TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
<!--SECTION: Microsoft:Windows:Updates-->
<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
<!--SECTION: Dell-->
<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
<!--SECTION: Intel-->
<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
<!--SECTION: Adobe-->
<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
</FileCreate>
```

366
analytics.csv
View File

@ -4,6 +4,7 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -25,6 +26,7 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -51,6 +53,8 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGu
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -83,11 +87,35 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentPro
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentCommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentCommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TerminalSessionid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,IntegrityLevel,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Imphash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Sha256hash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Sha1hash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Md5hash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentImage,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentCommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -105,6 +133,8 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -127,6 +157,10 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,W
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -151,11 +185,72 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TokenElev
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessCommandLine,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcesssCommandLine,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentImage,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,MandatoryLabel,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -170,6 +265,8 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -189,6 +286,10 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,W
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -207,11 +308,28 @@ TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TokenElev
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentImage,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,MandatoryLabel,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0002: Execution,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -233,6 +351,7 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostnam
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -259,6 +378,8 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Process
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -291,11 +412,35 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentP
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentCommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentCommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TerminalSessionid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,IntegrityLevel,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Imphash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Sha256hash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Sha1hash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Md5hash,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentImage,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentCommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -313,6 +458,8 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostnam
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -335,6 +482,10 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -359,11 +510,72 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TokenEl
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CommandLine,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessCommandLine,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcesssCommandLine,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentImage,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,MandatoryLabel,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Computer,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TargetFilename,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,CreationUtcTime,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -378,6 +590,8 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostnam
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -397,6 +611,10 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -415,11 +633,28 @@ TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TokenEl
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,EventID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Hostname,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Username,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,UserSid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ThreadID,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,NewProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,Image,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentImage,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessPid,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,ParentProcessName,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,MandatoryLabel,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,TokenElevationType,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0003: Persistence,attack.t1047,WMI Persistence - Script Event Consumer,LogonId,Windows,Windows Log,Security,11,LP_0008_windows_sysmon_FileCreate
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,EventID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -441,6 +676,7 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -467,6 +703,8 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessG
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -504,6 +742,8 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -521,6 +761,8 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -543,6 +785,10 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -572,6 +818,7 @@ TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Acc
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -593,6 +840,7 @@ TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Acc
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -619,6 +867,8 @@ TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Acc
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -656,6 +906,8 @@ TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Acc
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -673,6 +925,8 @@ TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Acc
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -695,6 +949,10 @@ TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Acc
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Suspicious SYSVOL Domain Group Policy Access,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -724,6 +982,7 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -745,6 +1004,7 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -771,6 +1031,8 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessG
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -808,6 +1070,8 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -825,6 +1089,8 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Hostname
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -847,6 +1113,10 @@ TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1036,Suspicious Process Start Locations,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -876,6 +1146,7 @@ TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -897,6 +1168,7 @@ TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -923,6 +1195,8 @@ TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessG
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -960,6 +1234,8 @@ TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -977,6 +1253,8 @@ TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -999,6 +1277,10 @@ TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,UserSid,
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1073,Reconnaissance Activity with Net Command,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1028,6 +1310,7 @@ TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1049,6 +1332,7 @@ TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1075,6 +1359,8 @@ TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessG
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -1112,6 +1398,8 @@ TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -1129,6 +1417,8 @@ TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Hostname
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1151,6 +1441,10 @@ TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,UserSid,
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0007: Discovery,attack.t1012,Reconnaissance Activity with Net Command,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1180,6 +1474,7 @@ TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Hostname,Wind
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1201,6 +1496,7 @@ TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Hostname,Wind
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1227,6 +1523,8 @@ TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessGuid,W
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -1264,6 +1562,8 @@ TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Hostname,Wind
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -1281,6 +1581,8 @@ TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Hostname,Wind
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1303,6 +1605,10 @@ TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,UserSid,Windo
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0004: Privilege Escalation,attack.t1068,Hurricane Panda Activity,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1332,6 +1638,7 @@ TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installatio
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1353,6 +1660,7 @@ TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installatio
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1379,6 +1687,8 @@ TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installatio
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -1416,6 +1726,8 @@ TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installatio
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -1433,6 +1745,8 @@ TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installatio
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1455,6 +1769,10 @@ TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installatio
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0003: Persistence,attack.t1100,IIS Native-Code Module Command Line Installation,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1484,6 +1802,7 @@ TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1505,6 +1824,7 @@ TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1531,6 +1851,8 @@ TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -1568,6 +1890,8 @@ TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -1585,6 +1909,8 @@ TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1607,6 +1933,10 @@ TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0006: Credential Access,attack.t1003,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1636,6 +1966,7 @@ TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Hostname,Wind
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1657,6 +1988,7 @@ TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Hostname,Wind
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1683,6 +2015,8 @@ TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessGuid,W
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -1720,6 +2054,8 @@ TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Hostname,Wind
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -1737,6 +2073,8 @@ TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Hostname,Wind
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1759,6 +2097,10 @@ TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,UserSid,Windo
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1140,Suspicious Commandline Escape,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1788,6 +2130,7 @@ TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windo
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1809,6 +2152,7 @@ TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windo
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1835,6 +2179,8 @@ TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Wi
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -1872,6 +2218,8 @@ TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windo
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -1889,6 +2237,8 @@ TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windo
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1911,6 +2261,10 @@ TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,UserSid,Window
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0005: Defense Evasion,attack.t1085,Suspicious Rundll32 Activity,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
@ -1940,6 +2294,7 @@ TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windows,Win
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,1,LP_0003_windows_sysmon_process_creation
@ -1961,6 +2316,7 @@ TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windows,Win
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,LogonGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -1987,6 +2343,8 @@ TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessGuid,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,CommandLine,Windows,Windows Log,Microsoft-Windows-Sysmon/Operational,4688,LP_0001_windows_audit_process_creation
@ -2024,6 +2382,8 @@ TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windows,Win
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,NewProcessName,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Image,Windows,Windows Log,Security,1,LP_0003_windows_sysmon_process_creation
@ -2041,6 +2401,8 @@ TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Hostname,Windows,Win
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Username,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,NewProcessName,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,Image,Windows,Windows Log,Security,4688,LP_0002_windows_audit_process_creation_with_commandline
@ -2063,6 +2425,10 @@ TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Wind
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,UserSid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessPid,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessId,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ThreadID,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,ProcessName,Windows,Windows Log,Security,4696,LP_0001_windows_audit_process_creation
TA0002: Execution,attack.t1085,Suspicious Rundll32 Activity,NewProcessName,Windows,Windows Log,Security,4688,LP_0001_windows_audit_process_creation

1 tactic technique title field dn_PLATFORM dn_TYPE dn_channel dn_event_id logging_policy_title
4 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
5 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
6 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
7 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
8 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
9 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
10 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
26 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
27 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
28 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
29 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
30 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
31 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
32 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
53 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
54 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
55 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
56 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
57 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
58 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
59 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
60 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
87 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
88 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentCommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
89 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentCommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
90 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
91 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
92 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
93 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
94 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
95 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
96 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
97 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
98 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
99 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
100 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TerminalSessionid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
101 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer IntegrityLevel Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
102 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Imphash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
103 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Sha256hash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
104 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Sha1hash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
105 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Md5hash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
106 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
107 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentImage Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
108 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
109 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
110 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
111 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentCommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
112 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
113 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
114 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
115 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
116 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
117 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
118 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
119 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
120 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
121 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
133 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
134 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
135 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
136 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
137 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
138 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
139 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
140 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
157 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
158 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
159 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
160 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
161 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
162 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
163 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
164 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
165 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
166 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
185 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
186 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
187 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
188 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
189 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
190 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
191 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
192 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
193 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
194 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
195 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
196 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
197 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
198 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
199 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessCommandLine Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
200 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcesssCommandLine Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
201 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
202 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentImage Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
203 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
204 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer MandatoryLabel Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
205 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
206 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
207 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
208 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
209 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
210 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
211 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
212 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
213 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
214 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
215 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
216 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
217 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
218 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
219 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
220 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
221 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
222 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
223 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
224 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
225 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
226 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
227 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
228 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
229 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
230 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
231 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
232 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
233 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
234 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
235 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
236 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
237 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
238 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
239 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
240 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
241 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
242 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
243 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
244 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
245 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
246 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
247 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
248 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
249 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
250 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
251 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
252 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
253 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
254 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
255 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
256 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
265 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
266 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
267 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
268 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
269 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
270 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
271 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
272 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
286 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
287 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
288 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
289 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
290 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
291 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
292 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
293 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
294 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
295 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
308 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
309 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
310 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
311 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
312 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
313 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
314 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
315 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
316 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
317 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
318 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
319 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
320 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
321 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentImage Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
322 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
323 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
324 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer MandatoryLabel Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
325 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
326 TA0002: Execution attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
327 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
328 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
329 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
330 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
331 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
332 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
333 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
334 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
335 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
351 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
352 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
353 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
354 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
355 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
356 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
357 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
378 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
379 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
380 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
381 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
382 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
383 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
384 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
385 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
412 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
413 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentCommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
414 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentCommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
415 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
416 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
417 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
418 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
419 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
420 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
421 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
422 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
423 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
424 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
425 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TerminalSessionid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
426 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer IntegrityLevel Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
427 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Imphash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
428 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Sha256hash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
429 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Sha1hash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
430 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Md5hash Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
431 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
432 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentImage Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
433 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
434 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
435 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
436 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentCommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
437 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
438 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
439 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
440 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
441 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
442 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
443 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
444 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
445 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
446 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
458 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
459 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
460 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
461 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
462 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
463 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
464 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
465 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
482 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
483 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
484 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
485 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
486 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
487 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
488 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
489 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
490 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
491 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
510 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
511 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
512 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
513 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
514 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
515 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
516 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
517 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
518 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
519 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
520 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
521 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
522 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
523 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CommandLine Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
524 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessCommandLine Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
525 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcesssCommandLine Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
526 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
527 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentImage Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
528 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
529 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer MandatoryLabel Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
530 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
531 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
532 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
533 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
534 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
535 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
536 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
537 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
538 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
539 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
540 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
541 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
542 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
543 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
544 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
545 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
546 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
547 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
548 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
549 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
550 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
551 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
552 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
553 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
554 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
555 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
556 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
557 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
558 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
559 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
560 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
561 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
562 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
563 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
564 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
565 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Computer Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
566 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
567 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
568 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
569 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
570 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TargetFilename Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
571 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer CreationUtcTime Windows Windows Log Microsoft-Windows-Sysmon/Operational 11 LP_0008_windows_sysmon_FileCreate
572 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
573 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
574 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
575 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
576 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
577 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
578 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
579 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
580 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
581 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
590 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
591 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
592 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
593 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
594 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
595 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
596 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
597 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
611 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
612 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
613 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
614 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
615 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
616 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
617 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
618 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
619 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
620 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
633 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
634 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
635 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
636 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer EventID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
637 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Hostname Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
638 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Username Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
639 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer UserSid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
640 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
641 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
642 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ThreadID Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
643 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
644 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer NewProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
645 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer Image Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
646 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentImage Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
647 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessPid Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
648 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer ParentProcessName Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
649 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer MandatoryLabel Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
650 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer TokenElevationType Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
651 TA0003: Persistence attack.t1047 WMI Persistence - Script Event Consumer LogonId Windows Windows Log Security 11 LP_0008_windows_sysmon_FileCreate
652 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations EventID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
653 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Hostname Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
654 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
655 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
656 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
657 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
658 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
659 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
660 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
676 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
677 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
678 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
679 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
680 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
681 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
682 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
703 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
704 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
705 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
706 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
707 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
708 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
709 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
710 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
742 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
743 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
744 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
745 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
746 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
747 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
748 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
749 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
761 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
762 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
763 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
764 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
765 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
766 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
767 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
768 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
785 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
786 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
787 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
788 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
789 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
790 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
791 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
792 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
793 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
794 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
818 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
819 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
820 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
821 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
822 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
823 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
824 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
840 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
841 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
842 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
843 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
844 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
845 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
846 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
867 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
868 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
869 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
870 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
871 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
872 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
873 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
874 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
906 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
907 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
908 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
909 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
910 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
911 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
912 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
913 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
925 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
926 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
927 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
928 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
929 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
930 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
931 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
932 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
949 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
950 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
951 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
952 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
953 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
954 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
955 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
956 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
957 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
958 TA0006: Credential Access attack.t1003 Suspicious SYSVOL Domain Group Policy Access NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
982 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
983 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
984 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
985 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
986 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
987 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
988 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1004 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1005 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1006 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1007 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1008 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1009 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1010 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1031 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1032 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1033 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1034 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1035 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1036 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1037 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1038 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1070 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1071 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1072 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1073 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1074 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1075 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1076 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1077 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1089 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1090 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1091 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1092 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1093 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1094 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1095 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1096 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1113 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1114 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1115 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1116 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1117 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1118 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1119 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1120 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1121 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1122 TA0005: Defense Evasion attack.t1036 Suspicious Process Start Locations NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1146 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1147 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1148 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1149 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1150 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1151 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1152 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1168 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1169 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1170 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1171 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1172 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1173 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1174 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1195 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1196 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1197 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1198 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1199 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1200 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1201 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1202 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1234 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1235 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1236 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1237 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1238 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1239 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1240 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1241 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1253 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1254 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1255 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1256 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1257 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1258 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1259 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1260 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1277 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1278 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1279 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1280 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1281 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1282 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1283 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1284 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1285 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1286 TA0007: Discovery attack.t1073 Reconnaissance Activity with Net Command NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1310 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1311 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1312 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1313 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1314 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1315 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1316 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1332 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1333 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1334 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1335 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1336 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1337 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1338 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1359 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1360 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1361 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1362 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1363 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1364 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1365 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1366 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1398 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1399 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1400 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1401 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1402 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1403 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1404 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1405 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1417 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1418 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1419 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1420 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1421 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1422 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1423 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1424 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1441 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1442 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1443 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1444 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1445 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1446 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1447 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1448 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1449 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1450 TA0007: Discovery attack.t1012 Reconnaissance Activity with Net Command NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1474 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1475 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1476 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1477 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1478 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1479 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1480 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1496 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1497 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1498 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1499 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1500 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1501 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1502 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1523 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1524 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1525 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1526 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1527 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1528 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1529 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1530 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1562 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1563 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1564 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1565 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1566 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1567 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1568 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1569 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1581 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1582 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1583 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1584 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1585 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1586 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1587 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1588 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1605 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1606 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1607 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1608 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1609 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1610 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1611 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1612 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1613 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1614 TA0004: Privilege Escalation attack.t1068 Hurricane Panda Activity NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1638 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1639 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1640 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1641 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1642 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1643 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1644 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1660 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1661 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1662 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1663 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1664 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1665 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1666 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1687 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1688 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1689 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1690 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1691 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1692 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1693 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1694 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1726 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1727 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1728 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1729 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1730 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1731 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1732 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1733 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1745 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1746 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1747 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1748 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1749 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1750 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1751 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1752 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1769 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1770 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1771 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1772 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1773 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1774 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1775 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1776 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1777 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1778 TA0003: Persistence attack.t1100 IIS Native-Code Module Command Line Installation NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1802 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1803 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1804 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1805 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1806 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1807 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1808 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1824 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1825 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1826 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1827 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1828 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1829 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1830 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1851 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1852 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1853 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1854 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1855 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1856 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1857 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
1858 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
1890 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1891 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1892 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1893 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1894 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1895 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1896 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1897 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
1909 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1910 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1911 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1912 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1913 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1914 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1915 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1916 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
1933 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1934 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1935 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1936 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1937 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1938 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1939 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1940 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1941 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
1942 TA0006: Credential Access attack.t1003 Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
1966 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1967 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1968 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1969 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1970 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1971 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1972 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
1988 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1989 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1990 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1991 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1992 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1993 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
1994 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2015 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2016 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2017 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2018 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2019 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2020 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2021 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2022 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2054 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2055 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2056 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2057 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2058 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2059 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2060 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2061 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2073 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2074 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2075 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2076 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2077 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2078 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2079 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2080 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2097 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2098 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2099 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2100 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2101 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2102 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2103 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2104 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2105 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2106 TA0005: Defense Evasion attack.t1140 Suspicious Commandline Escape NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2130 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2131 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2132 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2133 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2134 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2135 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2136 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2152 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2153 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2154 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2155 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2156 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2157 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2158 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2179 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2180 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2181 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2182 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2183 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2184 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2185 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2186 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2218 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2219 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2220 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2221 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2222 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2223 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2224 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2225 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2237 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2238 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2239 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2240 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2241 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2242 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2243 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2244 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2261 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2262 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2263 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2264 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2265 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2266 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2267 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2268 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2269 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2270 TA0005: Defense Evasion attack.t1085 Suspicious Rundll32 Activity NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2294 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2295 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2296 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2297 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2298 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2299 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2300 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 1 LP_0003_windows_sysmon_process_creation
2316 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2317 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2318 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2319 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2320 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2321 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2322 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity LogonGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0002_windows_audit_process_creation_with_commandline
2343 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessGuid Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2344 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2345 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2346 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2347 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2348 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2349 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Microsoft-Windows-Sysmon/Operational 4696 LP_0001_windows_audit_process_creation
2350 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity CommandLine Windows Windows Log Microsoft-Windows-Sysmon/Operational 4688 LP_0001_windows_audit_process_creation
2382 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2383 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity UserSid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2384 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2385 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2386 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2387 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2388 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity NewProcessName Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2389 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity Image Windows Windows Log Security 1 LP_0003_windows_sysmon_process_creation
2401 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity Username Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2402 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity UserSid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2403 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2404 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2405 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2406 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2407 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity NewProcessName Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2408 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity Image Windows Windows Log Security 4688 LP_0002_windows_audit_process_creation_with_commandline
2425 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity UserSid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2426 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2427 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessPid Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2428 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2429 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessId Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2430 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2431 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ThreadID Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2432 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation
2433 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity ProcessName Windows Windows Log Security 4696 LP_0001_windows_audit_process_creation
2434 TA0002: Execution attack.t1085 Suspicious Rundll32 Activity NewProcessName Windows Windows Log Security 4688 LP_0001_windows_audit_process_creation

51
dataneeded/DN_0010_6_windows_sysmon_driver_loaded.yml Normal file
View File

@ -0,0 +1,51 @@
title: DN_0010_6_windows_sysmon_driver_loaded
description: >
The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ImageLoaded
- Hashes
- Signed
- Signature
- SignatureStatus
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>

56
dataneeded/DN_0011_7_windows_sysmon_image_loaded.yml Normal file
View File

@ -0,0 +1,56 @@
title: DN_0011_7_windows_sysmon_image_loaded
description: >
The image loaded event logs when a module is loaded in a specific process.
loggingpolicy:
- LP_0006_windows_sysmon_image_loaded
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ProcessGuid
- ProcessId
- Image
- ImageLoaded
- Hashes
- Signed
- Signature
- SignatureStatus
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:45:16.663226600Z" />
<EventRecordID>16636</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
<Data Name="Image">C:\Windows\System32\notepad.exe</Data>
<Data Name="ImageLoaded">C:\Windows\System32\ole32.dll</Data>
<Data Name="Hashes">SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>

60
dataneeded/DN_0012_8_windows_sysmon_CreateRemoteThread.yml Normal file
View File

@ -0,0 +1,60 @@
title: DN_0012_8_windows_sysmon_CreateRemoteThread
description: >
The CreateRemoteThread event detects when a process creates a thread in another process.
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- SourceProcessGuid
- SourceProcessId
- SourceImage
- TargetProcessGuid
- TargetProcessId
- TargetImage
- NewThreadId
- StartAddress
- StartModule
- StartFunction
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>

48
dataneeded/DN_0013_9_windows_sysmon_RawAccessRead.yml Normal file
View File

@ -0,0 +1,48 @@
title: DN_0013_9_windows_sysmon_RawAccessRead
description: >
The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation.
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ProcessGuid
- ProcessId
- Image
- Device
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
<EventRecordID>1944686</EventRecordID>
<Correlation />
<Execution ProcessID="19572" ThreadID="21888" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>

59
dataneeded/DN_0014_10_windows_sysmon_ProcessAccess.yml Normal file
View File

@ -0,0 +1,59 @@
title: DN_0014_10_windows_sysmon_ProcessAccess
description: >
The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process.
loggingpolicy:
- LP_0007_windows_sysmon_ProcessAccess
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- SourceProcessGUID
- SourceProcessId
- SourceThreadId
- SourceImage
- TargetProcessGUID
- TargetProcessId
- TargetImage
- GrantedAccess
- CallTrace
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T14:28:35.216091900Z" />
<EventRecordID>42444</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 14:28:35.212</Data>
<Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data>
<Data Name="SourceProcessId">6916</Data>
<Data Name="SourceThreadId">8080</Data>
<Data Name="SourceImage">C:\Users\user1\Desktop\mimi\x64\mimikatz.exe</Data>
<Data Name="TargetProcessGUID">{9683FBB1-9A52-5C51-0000-0010C3610000}</Data>
<Data Name="TargetProcessId">672</Data>
<Data Name="TargetImage">C:\windows\system32\lsass.exe</Data>
<Data Name="GrantedAccess">0x1010</Data>
<Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data>
</EventData>
</Event>

51
dataneeded/DN_0015_11_windows_sysmon_FileCreate.yml Normal file
View File

@ -0,0 +1,51 @@
title: DN_0015_11_windows_sysmon_FileCreate
description: >
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
loggingpolicy:
- LP_0008_windows_sysmon_FileCreate
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetFilename
- CreationUtcTime
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T15:08:51.296611700Z" />
<EventRecordID>42528</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 15:08:51.287</Data>
<Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data>
<Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data>
</EventData>
</Event>

51
dataneeded/DN_0016_12_windows_sysmon_RegistryEvent.yml Normal file
View File

@ -0,0 +1,51 @@
title: DN_0016_12_windows_sysmon_RegistryEvent
description: >
Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications.
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:05:28.027841800Z" />
<EventRecordID>42938</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>

53
dataneeded/DN_0017_13_windows_sysmon_RegistryEvent.yml Normal file
View File

@ -0,0 +1,53 @@
title: DN_0016_13_windows_sysmon_RegistryEvent
description: >
This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD.
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
- Details
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:06:11.698273500Z" />
<EventRecordID>42943</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2019-01-30 17:06:11.673</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data>
<Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data>
</EventData>
</Event>

53
dataneeded/DN_0018_14_windows_sysmon_RegistryEvent.yml Normal file
View File

@ -0,0 +1,53 @@
title: DN_0018_14_windows_sysmon_RegistryEvent
description: >
Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed.
loggingpolicy:
- None
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
- Details
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
</EventData>
</Event>

53
dataneeded/DN_0019_15_windows_sysmon_FileCreateStreamHash.yml Normal file
View File

@ -0,0 +1,53 @@
title: DN_0019_15_windows_sysmon_FileCreateStreamHash
description: >
This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream.
loggingpolicy:
- None
references:
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetFilename
- CreationUtcTime
- Hash
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>

49
dataneeded/DN_0020_17_windows_sysmon_PipeEvent.yml Normal file
View File

@ -0,0 +1,49 @@
title: DN_0020_17_windows_sysmon_PipeEvent
description: >
This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication.
loggingpolicy:
- LP_0009_windows_sysmon_PipeEvent
references:
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ProcessGuid
- ProcessId
- PipeName
- Image
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>

49
dataneeded/DN_0021_18_windows_sysmon_PipeEvent.yml Normal file
View File

@ -0,0 +1,49 @@
title: DN_0021_18_windows_sysmon_PipeEvent
description: >
This event logs when a named pipe connection is made between a client and a server.
loggingpolicy:
- LP_0009_windows_sysmon_PipeEvent
references:
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- UtcTime
- ProcessGuid
- ProcessId
- PipeName
- Image
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>18</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.457379300Z" />
<EventRecordID>46620</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>tdl-win-10.tdl.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.455</Data>
<Data Name="ProcessGuid">{9683FBB1-8B5F-5C59-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="PipeName">\PSEXESVC-TDL-WIN-7-2728-stdin</Data>
<Data Name="Image">System</Data>
</EventData>
</Event>

53
dataneeded/DN_0022_19_windows_sysmon_WmiEvent.yml Normal file
View File

@ -0,0 +1,53 @@
title: DN_0022_19_windows_sysmon_WmiEvent
description: >
When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.
loggingpolicy:
- LP_0010_windows_sysmon_WmiEvent
references:
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- EventType
- UtcTime
- Operation
- User
- EventNamespace
- Name
- Query
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>

53
dataneeded/DN_0023_20_windows_sysmon_WmiEvent.yml Normal file
View File

@ -0,0 +1,53 @@
title: DN_0023_20_windows_sysmon_WmiEvent
description: >
This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
loggingpolicy:
- LP_0010_windows_sysmon_WmiEvent
references:
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- EventType
- UtcTime
- Operation
- User
- Name
- Type
- Destination
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>

51
dataneeded/DN_0024_21_windows_sysmon_WmiEvent.yml Normal file
View File

@ -0,0 +1,51 @@
title: DN_0024_21_windows_sysmon_WmiEvent
description: >
When a consumer binds to a filter, this event logs the consumer name and filter path.
loggingpolicy:
- LP_0010_windows_sysmon_WmiEvent
references:
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021
category: OS Logs
platform: Windows
type: Windows Log
channel: Microsoft-Windows-Sysmon/Operational
provider: Microsoft-Windows-Sysmon
fields:
- EventID
- Computer
- EventType
- UtcTime
- Operation
- User
- Consumer
- Filter
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>

18
loggingpolicies/LP_0006_windows_sysmon_image_loaded.yml Normal file
View File

@ -0,0 +1,18 @@
title: LP_0006_windows_sysmon_image_loaded
default: Not configured
volume: High
description: >
The image loaded event logs when a module is loaded in a specific process.
This event is disabled by default and needs to be configured with the l option.
It indicates the process in which the module is loaded, hashes and signature information.
The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.
This event should be configured carefully, as monitoring all image load events will generate a large number of events.
eventID:
- 7
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
configuration: |
Sysmon event id 7 is disabled by default.
It can be enabled by specyfying -l option
However due to high level of produced logs it should be filtred with configuration file
Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml

29
loggingpolicies/LP_0007_windows_sysmon_ProcessAccess.yml Normal file
View File

@ -0,0 +1,29 @@
title: LP_0007_windows_sysmon_ProcessAccess
default: Not configured
volume: High
description: >
The process accessed event reports when a process opens another process,
an operation thats often followed by information queries or reading and writing the address
space of the target process. This enables detection of hacking tools that read the memory
contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash
attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active
that repeatedly open processes to query their state, so it generally should only be done so with filters
that remove expected accesses.
eventID:
- 10
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
configuration: |
Sysmon event id 10 is disabled by default.
It can be enabled by specyfying configuration
However due to high level of produced logs it should be filtred with configuration file
Sample configuration:
```
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<SourceImage condition="is">C:\windows\system32\wbem\wmiprvse.exe</SourceImage>
<SourceImage condition="is">C:\windows\system32\svchost.exe</TargetImage>
</ProcessAccess>
```

89
loggingpolicies/LP_0008_windows_sysmon_FileCreate.yml Normal file
View File

@ -0,0 +1,89 @@
title: LP_0008_windows_sysmon_FileCreate
default: Partially (Other)
volume: High
description: >
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
eventID:
- 11
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
configuration: |
Sysmon event id 11 is enabled by default however default configuration might not be sufficient.
Sample configuration providing much better visibility might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
```
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime-->
<FileCreate onmatch="include">
<TargetFilename condition="contains">\Start Menu</TargetFilename> <!--Microsoft:Windows: Startup links and shortcut modification [ https://attack.mitre.org/wiki/Technique/T1023 ] -->
<TargetFilename condition="contains">\Startup\</TargetFilename> <!--Microsoft:Office: Changes to user's auto-launched files and shortcuts-->
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename> <!--Microsoft:Outlook: attachments-->
<TargetFilename condition="contains">\Downloads\</TargetFilename> <!--Downloaded files. Does not include "Run" files in IE-->
<TargetFilename condition="end with">.application</TargetFilename> <!--Microsoft:ClickOnce: [ https://blog.netspi.com/all-you-need-is-one-a-clickonce-love-story/ ] -->
<TargetFilename condition="end with">.appref-ms</TargetFilename> <!--Microsoft:ClickOnce application | Credit @ion-storm -->
<TargetFilename condition="end with">.bat</TargetFilename> <!--Batch scripting-->
<TargetFilename condition="end with">.chm</TargetFilename>
<TargetFilename condition="end with">.cmd</TargetFilename> <!--Batch scripting: Batch scripts can also use the .cmd extension | Credit: @mmazanec -->
<TargetFilename condition="end with">.cmdline</TargetFilename> <!--Microsoft:dotNet: Executed by cvtres.exe-->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable-->
<TargetFilename condition="end with">.jar</TargetFilename> <!--Java applets-->
<TargetFilename condition="end with">.jnlp</TargetFilename> <!--Java applets-->
<TargetFilename condition="end with">.jse</TargetFilename> <!--Scripting [ Example: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Phires-C/detailed-analysis.aspx ] -->
<TargetFilename condition="end with">.hta</TargetFilename> <!--Scripting-->
<TargetFilename condition="end with">.pptm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.ps1</TargetFilename> <!--PowerShell [ More information: http://www.hexacorn.com/blog/2014/08/27/beyond-good-ol-run-key-part-16/ ] -->
<TargetFilename condition="end with">.sys</TargetFilename> <!--System driver files-->
<TargetFilename condition="end with">.scr</TargetFilename> <!--System driver files-->
<TargetFilename condition="end with">.vbe</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.vbs</TargetFilename> <!--VisualBasicScripting-->
<TargetFilename condition="end with">.xlsm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">proj</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
<TargetFilename condition="end with">.sln</TargetFilename><!--Microsoft:MSBuild:Script: More information: https://twitter.com/subTee/status/885919612969394177-->
<TargetFilename condition="begin with">C:\Users\Default</TargetFilename> <!--Microsoft:Windows: Changes to default user profile-->
<TargetFilename condition="begin with">C:\Windows\system32\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Drivers</TargetFilename> <!--Microsoft: Drivers dropped here-->
<TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\Machine\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\system32\GroupPolicy\User\Scripts</TargetFilename> <!--Group policy [ More information: http://www.hexacorn.com/blog/2017/01/07/beyond-good-ol-run-key-part-52/ ] -->
<TargetFilename condition="begin with">C:\Windows\system32\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\Wbem</TargetFilename> <!--Microsoft:WMI: [ More information: http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf ] -->
<TargetFilename condition="begin with">C:\Windows\system32\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\SysWOW64\WindowsPowerShell</TargetFilename> <!--Microsoft:Powershell: Look for modifications for persistence [ https://www.malwarearchaeology.com/cheat-sheets ] -->
<TargetFilename condition="begin with">C:\Windows\Tasks\</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
<TargetFilename condition="begin with">C:\Windows\system32\Tasks</TargetFilename> <!--Microsoft:ScheduledTasks [ https://attack.mitre.org/wiki/Technique/T1053 ] -->
<!--Windows application compatibility-->
<TargetFilename condition="begin with">C:\Windows\AppPatch\Custom</TargetFilename> <!--Microsoft:Windows: Application compatibility shims [ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html ] -->
<TargetFilename condition="contains">VirtualStore</TargetFilename> <!--Microsoft:Windows: UAC virtualization [ https://blogs.msdn.microsoft.com/oldnewthing/20150902-00/?p=91681 ] -->
<!--Exploitable file names-->
<TargetFilename condition="end with">.xls</TargetFilename> <!--Legacy Office files are often used for attacks-->
<TargetFilename condition="end with">.ppt</TargetFilename> <!--Legacy Office files are often used for attacks-->
<TargetFilename condition="end with">.rft</TargetFilename> <!--RTF files often 0day malware vectors when opened by Office-->
</FileCreate>
<FileCreate onmatch="exclude">
<!--SECTION: Microsoft-->
<Image condition="is">C:\Program Files (x86)\EMET 5.5\EMET_Service.exe</Image> <!--Microsoft:EMET: Writes to C:\Windows\AppPatch\-->
<!--SECTION: Microsoft:Office-->
<TargetFilename condition="is">C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask</TargetFilename>
<!--SECTION: Microsoft:Office:Click2Run-->
<Image condition="is">C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe</Image> <!-- Microsoft:Office Click2Run-->
<!--SECTION: Microsoft:Windows-->
<Image condition="is">C:\Windows\system32\smss.exe</Image> <!-- Microsoft:Windows: Session Manager SubSystem: Creates swapfile.sys,pagefile.sys,hiberfile.sys-->
<Image condition="is">C:\Windows\system32\CompatTelRunner.exe</Image> <!-- Microsoft:Windows: Windows 10 app, creates tons of cache files-->
<Image condition="is">\\?\C:\Windows\system32\wbem\WMIADAP.EXE</Image> <!-- Microsoft:Windows: WMI Performance updates-->
<Image condition="is">C:\Windows\system32\mobsync.exe</Image> <!--Microsoft:Windows: Network file syncing-->
<TargetFilename condition="begin with">C:\Windows\system32\DriverStore\Temp\</TargetFilename> <!-- Microsoft:Windows: Temp files by DrvInst.exe-->
<TargetFilename condition="begin with">C:\Windows\system32\wbem\Performance\</TargetFilename> <!-- Microsoft:Windows: Created in wbem by WMIADAP.exe-->
<TargetFilename condition="end with">WRITABLE.TST</TargetFilename> <!-- Microsoft:Windows: Created in wbem by svchost-->
<TargetFilename condition="begin with">C:\Windows\Installer\</TargetFilename> <!--Microsoft:Windows:Installer: Ignore MSI installer files caching-->
<!--SECTION: Microsoft:Windows:Updates-->
<TargetFilename condition="begin with">C:\$WINDOWS.~BT\Sources\</TargetFilename> <!-- Microsoft:Windows: Feature updates containing lots of .exe and .sys-->
<Image condition="begin with">C:\Windows\winsxs\amd64_microsoft-windows</Image> <!-- Microsoft:Windows: Windows update-->
<!--SECTION: Dell-->
<Image condition="is">C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe</Image>
<!--SECTION: Intel-->
<Image condition="is">C:\Windows\system32\igfxCUIService.exe</Image> <!--Intel: Drops bat and other files in \Windows in normal operation-->
<!--SECTION: Adobe-->
<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Acrobat Update Task</TargetFilename>
<TargetFilename condition="is">C:\Windows\System32\Tasks\Adobe Flash Player Updater</TargetFilename>
</FileCreate>
```

18
loggingpolicies/LP_0009_windows_sysmon_PipeEvent.yml Normal file
View File

@ -0,0 +1,18 @@
title: LP_0009_windows_sysmon_PipeEvent
default: Not configured
volume: Low
description: >
Enables logging of events related to usage or creation of pipes.
eventID:
- 17
- 18
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
configuration: |
This configuration should be further tunned according to baseline
Sample configuration:
```
<PipeEvent onmatch="exclude">
</PipeEvent>
```

23
loggingpolicies/LP_0010_windows_sysmon_WmiEvent.yml Normal file
View File

@ -0,0 +1,23 @@
title: LP_0010_windows_sysmon_WmiEvent
default: Not configured
volume: Low
description: >
Enables logging of events related to usage of windows management interface.
Possible events are:
- WmiEventFilter activity detected
- WmiEventConsumer activity detected
- WmiEventConsumerToFilter activity detected
eventID:
- 19
- 20
- 21
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
configuration: |
This configuration should be further tunned according to baseline
Sample configuration:
```
<WmiEvent onmatch="exclude">
</WmiEvent>
```

3
scripts/utils.py
View File

@ -258,7 +258,8 @@ def calculate_dn_for_dr(dict_of_dn_files, dict_of_logsource_fields_from_dr, dr_l
list_of_DN_matched_by_fields_and_logsource.append(dn.get('title'))
# and only in the last step we check EventID
if dr_dn['EventID'] != None:
if 'EventID' in dr_dn:
eventID = dr_dn['EventID']
for dn in dn_list:
if dn['title'] in list_of_DN_matched_by_fields_and_logsource: