mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
28 KiB
28 KiB
| 1 | tactic | technique | title | field | dn_PLATFORM | dn_TYPE | dn_channel | dn_event_id | logging_policy_title |
|---|---|---|---|---|---|---|---|---|---|
| 2 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | EventID | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 3 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | EventID | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 4 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | EventID | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 5 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | EventID | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 6 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AccountName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 7 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AccountName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 8 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AccountName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 9 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AccountName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 10 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Hostname | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 11 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Hostname | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 12 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Hostname | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 13 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Hostname | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 14 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Computer | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 15 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Computer | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 16 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Computer | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 17 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | Computer | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 18 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserSid | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 19 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserSid | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 20 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserSid | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 21 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserSid | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 22 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 23 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 24 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 25 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectUserName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 26 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectDomainName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 27 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectDomainName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 28 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectDomainName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 29 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectDomainName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 30 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectLogonId | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 31 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectLogonId | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 32 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectLogonId | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 33 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | SubjectLogonId | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 34 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserSid | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 35 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserSid | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 36 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserSid | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 37 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserSid | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 38 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 39 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 40 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 41 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetUserName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 42 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetDomainName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 43 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetDomainName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 44 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetDomainName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 45 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetDomainName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 46 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLogonId | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 47 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLogonId | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 48 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLogonId | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 49 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLogonId | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 50 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonType | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 51 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonType | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 52 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonType | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 53 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonType | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 54 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonProcessName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 55 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonProcessName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 56 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonProcessName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 57 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonProcessName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 58 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AuthenticationPackageName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 59 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AuthenticationPackageName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 60 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AuthenticationPackageName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 61 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | AuthenticationPackageName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 62 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | WorkstationName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 63 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | WorkstationName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 64 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | WorkstationName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 65 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | WorkstationName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 66 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonGuid | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 67 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonGuid | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 68 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonGuid | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 69 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LogonGuid | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 70 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TransmittedServices | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 71 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TransmittedServices | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 72 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TransmittedServices | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 73 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TransmittedServices | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 74 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LmPackageName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 75 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LmPackageName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 76 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LmPackageName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 77 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | LmPackageName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 78 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | KeyLength | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 79 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | KeyLength | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 80 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | KeyLength | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 81 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | KeyLength | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 82 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessId | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 83 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessId | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 84 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessId | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 85 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessId | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 86 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 87 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 88 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 89 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ProcessName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 90 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpAddress | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 91 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpAddress | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 92 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpAddress | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 93 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpAddress | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 94 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpPort | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 95 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpPort | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 96 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpPort | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 97 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | IpPort | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 98 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ImpersonationLevel | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 99 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ImpersonationLevel | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 100 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ImpersonationLevel | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 101 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ImpersonationLevel | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 102 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | RestrictedAdminMode | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 103 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | RestrictedAdminMode | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 104 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | RestrictedAdminMode | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 105 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | RestrictedAdminMode | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 106 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundUserName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 107 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundUserName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 108 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundUserName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 109 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundUserName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 110 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundDomainName | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 111 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundDomainName | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 112 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundDomainName | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 113 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetOutboundDomainName | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 114 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | VirtualAccount | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 115 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | VirtualAccount | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 116 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | VirtualAccount | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 117 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | VirtualAccount | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 118 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLinkedLogonId | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 119 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLinkedLogonId | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 120 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLinkedLogonId | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 121 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | TargetLinkedLogonId | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 122 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ElevatedToken | Windows | Windows Log | Security | 4624 | LP_0004_windows_audit_logon |
| 123 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ElevatedToken | Windows | Windows Log | Security | 4625 | LP_0004_windows_audit_logon |
| 124 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ElevatedToken | Windows | Windows Log | Security | 4648 | LP_0004_windows_audit_logon |
| 125 | TA0008: Lateral Movement | attack.t1078 | Admin User Remote Logon | ElevatedToken | Windows | Windows Log | Security | 4675 | LP_0004_windows_audit_logon |
| 126 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | EventID | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 127 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Hostname | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 128 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Username | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 129 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessGuid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 130 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessId | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 131 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessName | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 132 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | CommandLine | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 133 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | LogonGuid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 134 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | LogonId | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 135 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | TerminalSessionid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 136 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | IntegrityLevel | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 137 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Imphash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 138 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Sha256hash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 139 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Sha1hash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 140 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Md5hash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 141 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessGuid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 142 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessId | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 143 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessName | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 144 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentCommandLine | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 145 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | EventID | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 146 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Hostname | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 147 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Username | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 148 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | UserSid | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 149 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessPid | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 150 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessName | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 151 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | NewProcessName | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 152 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Image | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 153 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | CommandLine | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 154 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessCommandLine | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 155 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcesssCommandLine | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 156 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessPid | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 157 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessName | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 158 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | MandatoryLabel | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 159 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | TokenElevationType | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 160 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | LogonId | Windows | Windows Log | Security | 4688 | LP_0002_windows_audit_process_creation_with_commandline |
| 161 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | EventID | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 162 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Hostname | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 163 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Username | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 164 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessGuid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 165 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessId | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 166 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessName | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 167 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | CommandLine | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 168 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | LogonGuid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 169 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | LogonId | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 170 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | TerminalSessionid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 171 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | IntegrityLevel | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 172 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Imphash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 173 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Sha256hash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 174 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Sha1hash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 175 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Md5hash | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 176 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessGuid | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 177 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessId | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 178 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessName | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 179 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentCommandLine | Windows | Windows Log | Microsoft-Windows-Sysmon/Operational | -1 | - |
| 180 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | EventID | Windows | Windows Log | Security | -1 | - |
| 181 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Hostname | Windows | Windows Log | Security | -1 | - |
| 182 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Username | Windows | Windows Log | Security | -1 | - |
| 183 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | UserSid | Windows | Windows Log | Security | -1 | - |
| 184 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessPid | Windows | Windows Log | Security | -1 | - |
| 185 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessName | Windows | Windows Log | Security | -1 | - |
| 186 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | NewProcessName | Windows | Windows Log | Security | -1 | - |
| 187 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | Image | Windows | Windows Log | Security | -1 | - |
| 188 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | CommandLine | Windows | Windows Log | Security | -1 | - |
| 189 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcessCommandLine | Windows | Windows Log | Security | -1 | - |
| 190 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ProcesssCommandLine | Windows | Windows Log | Security | -1 | - |
| 191 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessPid | Windows | Windows Log | Security | -1 | - |
| 192 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | ParentProcessName | Windows | Windows Log | Security | -1 | - |
| 193 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | MandatoryLabel | Windows | Windows Log | Security | -1 | - |
| 194 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | TokenElevationType | Windows | Windows Log | Security | -1 | - |
| 195 | TA0005: Defense Evasion | attack.t1036 | Suspicious Process Start Locations | LogonId | Windows | Windows Log | Security | -1 | - |