mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
240 KiB
240 KiB
1 | tactic | technique | detection rule | category | platform | type | channel | provider | data needed | logging policy | enrichment | enrichment requirements | response playbook | response action |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
3 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
4 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
5 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
6 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
7 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
8 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
9 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
10 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
11 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
12 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
13 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
14 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
15 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
16 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
17 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
18 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
19 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence - Script Event Consumer | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
20 | TA0007: Discovery | T1087: Account Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0030_4662_operation_was_performed_on_an_object | LP_0027_windows_audit_directory_service_access | - | - | - | |
21 | TA0007: Discovery | T1087: Account Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0030_4662_operation_was_performed_on_an_object | LP_0028_windows_audit_sam | - | - | - | |
22 | TA0007: Discovery | T1087: Account Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0029_4661_handle_to_an_object_was_requested | LP_0027_windows_audit_directory_service_access | - | - | - | |
23 | TA0007: Discovery | T1087: Account Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0029_4661_handle_to_an_object_was_requested | LP_0028_windows_audit_sam | - | - | - | |
24 | TA0007: Discovery | T1069: Permission Groups Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0030_4662_operation_was_performed_on_an_object | LP_0027_windows_audit_directory_service_access | - | - | - | |
25 | TA0007: Discovery | T1069: Permission Groups Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0030_4662_operation_was_performed_on_an_object | LP_0028_windows_audit_sam | - | - | - | |
26 | TA0007: Discovery | T1069: Permission Groups Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0029_4661_handle_to_an_object_was_requested | LP_0027_windows_audit_directory_service_access | - | - | - | |
27 | TA0007: Discovery | T1069: Permission Groups Discovery | Reconnaissance Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0029_4661_handle_to_an_object_was_requested | LP_0028_windows_audit_sam | - | - | - | |
28 | TA0004: Privilege Escalation | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
29 | TA0004: Privilege Escalation | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
30 | TA0004: Privilege Escalation | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | - | - | - | - | |
31 | TA0004: Privilege Escalation | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
32 | TA0003: Persistence | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
33 | TA0003: Persistence | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
34 | TA0003: Persistence | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | - | - | - | - | |
35 | TA0003: Persistence | T1015: Accessibility Features | Sticky Key Like Backdoor Usage | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
36 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
37 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
38 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
39 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | - | - | - | - | |
40 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
41 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0003_windows_sysmon_process_creation | - | - | - | |
42 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | - | - | - | - | |
43 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
44 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
45 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | - | - | - | - | |
46 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
47 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
48 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
49 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
50 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
51 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | - | - | - | - | |
52 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
53 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0003_windows_sysmon_process_creation | - | - | - | |
54 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | - | - | - | - | |
55 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
56 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
57 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | - | - | - | - | |
58 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
59 | TA0002: Execution | T1191: CMSTP | CMSTP Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
60 | TA0006: Credential Access | T1208: Kerberoasting | Suspicious Kerberos RC4 Ticket Encryption | - | - | - | - | - | - | - | - | - | - | |
61 | TA0006: Credential Access | T1003: Credential Dumping | SAM Dump to AppData | OS Logs | Windows | Windows Log | System | Microsoft-Windows-Kernel-General | DN_0083_16_access_history_in_hive_was_cleared | - | - | - | - | |
62 | TA0002: Execution | T1047: Windows Management Instrumentation | Suspicious WMI execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
63 | TA0005: Defense Evasion | T1085: Rundll32 | PowerShell Rundll32 Remote Thread Creation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | - | - | - | - | |
64 | TA0005: Defense Evasion | T1086: PowerShell | PowerShell Rundll32 Remote Thread Creation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | - | - | - | - | |
65 | TA0002: Execution | T1085: Rundll32 | PowerShell Rundll32 Remote Thread Creation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | - | - | - | - | |
66 | TA0002: Execution | T1086: PowerShell | PowerShell Rundll32 Remote Thread Creation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | - | - | - | - | |
67 | TA0008: Lateral Movement | T1003: Credential Dumping | Mimikatz Detection LSASS Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
68 | TA0006: Credential Access | T1003: Credential Dumping | Mimikatz Detection LSASS Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
69 | TA0005: Defense Evasion | T1086: PowerShell | PowerShell Downgrade Attack | OS Logs | Windows | Applications and Services Logs | Windows PowerShell | PowerShell | DN_0038_400_windows_powershell_engine_lifecycle | - | - | - | - | |
70 | TA0002: Execution | T1086: PowerShell | PowerShell Downgrade Attack | OS Logs | Windows | Applications and Services Logs | Windows PowerShell | PowerShell | DN_0038_400_windows_powershell_engine_lifecycle | - | - | - | - | |
71 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Download | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
72 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Download | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
73 | TA0002: Execution | T1035: Service Execution | PsExec Service Start | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
74 | TA0002: Execution | T1035: Service Execution | PsExec Service Start | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
75 | TA0002: Execution | T1035: Service Execution | PsExec Service Start | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
76 | TA0002: Execution | T1035: Service Execution | PsExec Service Start | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
77 | TA0005: Defense Evasion | T1088: Bypass User Account Control | CMSTP UAC Bypass via COM Object Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
78 | TA0005: Defense Evasion | T1191: CMSTP | CMSTP UAC Bypass via COM Object Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
79 | TA0004: Privilege Escalation | T1088: Bypass User Account Control | CMSTP UAC Bypass via COM Object Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
80 | TA0004: Privilege Escalation | T1191: CMSTP | CMSTP UAC Bypass via COM Object Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
81 | TA0002: Execution | T1088: Bypass User Account Control | CMSTP UAC Bypass via COM Object Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
82 | TA0002: Execution | T1191: CMSTP | CMSTP UAC Bypass via COM Object Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
83 | TA0006: Credential Access | T1003: Credential Dumping | Malicious Service Install | OS Logs | Windows | Windows Log | System | Service Control Manager | DN_0005_7045_windows_service_insatalled | - | - | - | - | |
84 | TA0006: Credential Access | T1003: Credential Dumping | Malicious Service Install | OS Logs | Windows | Windows Log | System | Microsoft-Windows-Kernel-General | DN_0083_16_access_history_in_hive_was_cleared | - | - | - | - | |
85 | TA0003: Persistence | T1138: Application Shimming | Possible Shim Database Persistence via sdbinst.exe | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
86 | TA0005: Defense Evasion | T1170: Mshta | MSHTA Spawning Windows Shell | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
87 | TA0002: Execution | T1170: Mshta | MSHTA Spawning Windows Shell | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
88 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Certutil Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
89 | TA0004: Privilege Escalation | T1183: Image File Execution Options Injection | Registry Persistence Mechanisms | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
90 | TA0003: Persistence | T1183: Image File Execution Options Injection | Registry Persistence Mechanisms | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
91 | TA0005: Defense Evasion | T1183: Image File Execution Options Injection | Registry Persistence Mechanisms | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
92 | TA0005: Defense Evasion | T1117: Regsvr32 | Regsvr32 Anomaly | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
93 | TA0002: Execution | T1117: Regsvr32 | Regsvr32 Anomaly | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
94 | TA0002: Execution | T1086: PowerShell | PowerShell Network Connections | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
95 | TA0002: Execution | T1086: PowerShell | Malicious Base64 encoded PowerShell Keywords in command lines | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
96 | TA0002: Execution | T1086: PowerShell | Malicious Base64 encoded PowerShell Keywords in command lines | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
97 | TA0002: Execution | T1086: PowerShell | Malicious Base64 encoded PowerShell Keywords in command lines | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
98 | TA0002: Execution | T1086: PowerShell | Malicious Base64 encoded PowerShell Keywords in command lines | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
99 | TA0003: Persistence | T1078: Valid Accounts | Account Tampering - Suspicious Failed Logon Reasons | - | - | - | - | - | - | - | - | - | - | |
100 | TA0004: Privilege Escalation | T1078: Valid Accounts | Account Tampering - Suspicious Failed Logon Reasons | - | - | - | - | - | - | - | - | - | - | |
101 | TA0006: Credential Access | T1003: Credential Dumping | Mimikatz DC Sync | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0030_4662_operation_was_performed_on_an_object | LP_0027_windows_audit_directory_service_access | - | - | - | |
102 | TA0005: Defense Evasion | T1070: Indicator Removal on Host | Eventlog Cleared Experimental | OS Logs | Windows | Windows Log | System | Microsoft-Windows-Eventlog | DN_0034_104_log_file_was_cleared | - | - | - | - | |
103 | TA0005: Defense Evasion | T1107: File Deletion | Secure Deletion with SDelete | - | - | - | - | - | - | - | - | - | - | |
104 | TA0005: Defense Evasion | T1116: Code Signing | Secure Deletion with SDelete | - | - | - | - | - | - | - | - | - | - | |
105 | TA0006: Credential Access | T1098: Account Manipulation | Active Directory User Backdoors | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0026_5136_windows_directory_service_object_was_modified | - | - | - | - | |
106 | TA0006: Credential Access | T1098: Account Manipulation | Active Directory User Backdoors | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0026_5136_windows_directory_service_object_was_modified | LP_0026_windows_audit_user_account_management | - | - | - | |
107 | TA0006: Credential Access | T1098: Account Manipulation | Active Directory User Backdoors | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0027_4738_user_account_was_changed | - | - | - | - | |
108 | TA0006: Credential Access | T1098: Account Manipulation | Active Directory User Backdoors | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0027_4738_user_account_was_changed | LP_0026_windows_audit_user_account_management | - | - | - | |
109 | TA0007: Discovery | T1087: Account Discovery | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
110 | TA0007: Discovery | T1075: Pass the Hash | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
111 | TA0007: Discovery | T1114: Email Collection | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
112 | TA0007: Discovery | T1059: Command-Line Interface | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
113 | TA0002: Execution | T1087: Account Discovery | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
114 | TA0002: Execution | T1075: Pass the Hash | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
115 | TA0002: Execution | T1114: Email Collection | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
116 | TA0002: Execution | T1059: Command-Line Interface | Hacktool Use | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
117 | TA0005: Defense Evasion | T1197: BITS Jobs | Bitsadmin Download | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
118 | TA0003: Persistence | T1197: BITS Jobs | Bitsadmin Download | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
119 | TA0002: Execution | T1086: PowerShell | Malicious PowerShell Commandlets | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
120 | TA0002: Execution | T1086: PowerShell | Malicious PowerShell Commandlets | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
121 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Invocation based on Parent Process | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
122 | TA0004: Privilege Escalation | T1178: SID-History Injection | Addition of SID History to Active Directory Object | - | - | - | - | - | - | - | - | - | - | |
123 | TA0006: Credential Access | T1208: Kerberoasting | NTLM Logon | - | - | - | - | - | - | - | - | - | - | |
124 | TA0003: Persistence | T1084: Windows Management Instrumentation Event Subscription | WMI Persistence - Command Line Event Consumer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
125 | TA0006: Credential Access | T1003: Credential Dumping | Password Dumper Remote Thread in LSASS | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | - | - | - | - | |
126 | TA0008: Lateral Movement | T1078: Valid Accounts | Admin User Remote Logon | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
127 | TA0005: Defense Evasion | T1096: NTFS File Attributes | NTFS Alternate Data Stream | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
128 | TA0005: Defense Evasion | T1096: NTFS File Attributes | NTFS Alternate Data Stream | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
129 | TA0002: Execution | T1086: PowerShell | Powershell AMSI Bypass via .NET Reflection | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
130 | TA0002: Execution | T1053: Scheduled Task | Rare Schtasks Creations | - | - | - | - | - | - | - | - | - | - | |
131 | TA0004: Privilege Escalation | T1053: Scheduled Task | Rare Schtasks Creations | - | - | - | - | - | - | - | - | - | - | |
132 | TA0003: Persistence | T1053: Scheduled Task | Rare Schtasks Creations | - | - | - | - | - | - | - | - | - | - | |
133 | TA0008: Lateral Movement | T1075: Pass the Hash | Successful Overpass the Hash Attempt | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
134 | TA0005: Defense Evasion | T1070: Indicator Removal on Host | Security Eventlog Cleared | - | - | - | - | - | - | - | - | - | - | |
135 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
136 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
137 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
138 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
139 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
140 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
141 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
142 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
143 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious SYSVOL Domain Group Policy Access | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
144 | TA0002: Execution | T1035: Service Execution | PsExec Tool Execution | - | - | - | - | - | - | - | - | - | - | |
145 | TA0005: Defense Evasion | T1070: Indicator Removal on Host | Eventlog Cleared | OS Logs | Windows | Windows Log | System | Microsoft-Windows-Eventlog | DN_0034_104_log_file_was_cleared | - | - | - | - | |
146 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
147 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
148 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
149 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
150 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
151 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
152 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
153 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
154 | TA0007: Discovery | T1033: System Owner/User Discovery | Whoami Execution | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
155 | TA0002: Execution | T1086: PowerShell | PowerShell Credential Prompt | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
156 | TA0006: Credential Access | T1086: PowerShell | PowerShell Credential Prompt | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
157 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
158 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
159 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
160 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
161 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
162 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
163 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
164 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
165 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Process Start Locations | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
166 | TA0005: Defense Evasion | T1047: Windows Management Instrumentation | SquiblyTwo | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
167 | TA0008: Lateral Movement | T1077: Windows Admin Shares | smbexec.py Service Installation | - | - | - | - | - | - | - | - | - | - | |
168 | TA0008: Lateral Movement | T1035: Service Execution | smbexec.py Service Installation | - | - | - | - | - | - | - | - | - | - | |
169 | TA0002: Execution | T1077: Windows Admin Shares | smbexec.py Service Installation | - | - | - | - | - | - | - | - | - | - | |
170 | TA0002: Execution | T1035: Service Execution | smbexec.py Service Installation | - | - | - | - | - | - | - | - | - | - | |
171 | TA0006: Credential Access | T1003: Credential Dumping | Activity Related to NTDS.dit Domain Hash Retrieval | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
172 | TA0004: Privilege Escalation | T1100: Web Shell | Webshell Detection With Command Line Keywords | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
173 | TA0003: Persistence | T1100: Web Shell | Webshell Detection With Command Line Keywords | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
174 | TA0005: Defense Evasion | T1086: PowerShell | PowerShell called from an Executable Version Mismatch | OS Logs | Windows | Applications and Services Logs | Windows PowerShell | PowerShell | DN_0038_400_windows_powershell_engine_lifecycle | - | - | - | - | |
175 | TA0002: Execution | T1086: PowerShell | PowerShell called from an Executable Version Mismatch | OS Logs | Windows | Applications and Services Logs | Windows PowerShell | PowerShell | DN_0038_400_windows_powershell_engine_lifecycle | - | - | - | - | |
176 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
177 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
178 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
179 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
180 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
181 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
182 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
183 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
184 | TA0007: Discovery | T1073: DLL Side-Loading | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
185 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
186 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
187 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
188 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
189 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
190 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
191 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
192 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
193 | TA0007: Discovery | T1012: Query Registry | Reconnaissance Activity with Net Command | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
194 | TA0003: Persistence | T1050: New Service | Malicious Service Installations | OS Logs | Windows | Windows Log | System | Service Control Manager | DN_0005_7045_windows_service_insatalled | - | - | - | - | |
195 | TA0004: Privilege Escalation | T1050: New Service | Malicious Service Installations | OS Logs | Windows | Windows Log | System | Service Control Manager | DN_0005_7045_windows_service_insatalled | - | - | - | - | |
196 | TA0005: Defense Evasion | T1027: Obfuscated Files or Information | Executable in ADS | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | - | - | - | - | |
197 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Invocations - Generic | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
198 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Invocations - Generic | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
199 | TA0008: Lateral Movement | T1003: Credential Dumping | Mimikatz Use | - | - | - | - | - | - | - | - | - | - | |
200 | TA0006: Credential Access | T1003: Credential Dumping | Mimikatz Use | - | - | - | - | - | - | - | - | - | - | |
201 | TA0004: Privilege Escalation | T1078: Valid Accounts | Enabled User Right in AD to Control User Objects | - | - | - | - | - | - | - | - | - | - | |
202 | TA0005: Defense Evasion | T1158: Hidden Files and Directories | Hiding files with attrib.exe | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
203 | TA0003: Persistence | T1158: Hidden Files and Directories | Hiding files with attrib.exe | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
204 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
205 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
206 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
207 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
208 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
209 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
210 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
211 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
212 | TA0005: Defense Evasion | T1036: Masquerading | PowerShell Base64 Encoded Shellcode | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
213 | TA0002: Execution | T1085: Rundll32 | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
214 | TA0002: Execution | T1070: Indicator Removal on Host | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
215 | TA0002: Execution | T1003: Credential Dumping | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
216 | TA0006: Credential Access | T1085: Rundll32 | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
217 | TA0006: Credential Access | T1070: Indicator Removal on Host | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
218 | TA0006: Credential Access | T1003: Credential Dumping | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
219 | TA0005: Defense Evasion | T1085: Rundll32 | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
220 | TA0005: Defense Evasion | T1070: Indicator Removal on Host | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
221 | TA0005: Defense Evasion | T1003: Credential Dumping | NotPetya Ransomware Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
222 | TA0005: Defense Evasion | T1054: Indicator Blocking | Disabling Windows Event Auditing | - | - | - | - | - | - | - | - | - | - | |
223 | TA0004: Privilege Escalation | T1100: Web Shell | Shells Spawned by Web Servers | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
224 | TA0003: Persistence | T1100: Web Shell | Shells Spawned by Web Servers | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
225 | TA0002: Execution | T1086: PowerShell | PowerShell Download from URL | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
226 | TA0005: Defense Evasion | T1088: Bypass User Account Control | UAC Bypass via sdclt | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
227 | TA0004: Privilege Escalation | T1088: Bypass User Account Control | UAC Bypass via sdclt | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
228 | TA0002: Execution | T1086: PowerShell | Malicious PowerShell Keywords | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
229 | TA0002: Execution | T1086: PowerShell | Malicious PowerShell Keywords | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
230 | TA0003: Persistence | T1050: New Service | Rare Service Installs | OS Logs | Windows | Windows Log | System | Service Control Manager | DN_0005_7045_windows_service_insatalled | - | - | - | - | |
231 | TA0004: Privilege Escalation | T1050: New Service | Rare Service Installs | OS Logs | Windows | Windows Log | System | Service Control Manager | DN_0005_7045_windows_service_insatalled | - | - | - | - | |
232 | TA0008: Lateral Movement | T1078: Valid Accounts | Interactive Logon to Server Systems | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
233 | TA0002: Execution | T1059: Command-Line Interface | Microsoft Office Product Spawning Windows Shell | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
234 | TA0005: Defense Evasion | T1059: Command-Line Interface | Microsoft Office Product Spawning Windows Shell | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
235 | TA0006: Credential Access | T1212: Exploitation for Credential Access | NetNTLM Downgrade Attack | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
236 | TA0005: Defense Evasion | T1089: Disabling Security Tools | Microsoft Malware Protection Engine Crash | - | - | - | - | - | - | - | - | - | - | |
237 | TA0005: Defense Evasion | T1211: Exploitation for Defense Evasion | Microsoft Malware Protection Engine Crash | - | - | - | - | - | - | - | - | - | - | |
238 | TA0006: Credential Access | T1003: Credential Dumping | WCE wceaux.dll Access | - | - | - | - | - | - | - | - | - | - | |
239 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
240 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0008_windows_sysmon_FileCreate | - | - | - | |
241 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
242 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
243 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0006_windows_sysmon_image_loaded | - | - | - | |
244 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0003_windows_sysmon_process_creation | - | - | - | |
245 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
246 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0005_windows_sysmon_network_connection | - | - | - | |
247 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0008_windows_sysmon_FileCreate | - | - | - | |
248 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
249 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
250 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0006_windows_sysmon_image_loaded | - | - | - | |
251 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0003_windows_sysmon_process_creation | - | - | - | |
252 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
253 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0005_windows_sysmon_network_connection | - | - | - | |
254 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0008_windows_sysmon_FileCreate | - | - | - | |
255 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
256 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
257 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0006_windows_sysmon_image_loaded | - | - | - | |
258 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0003_windows_sysmon_process_creation | - | - | - | |
259 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
260 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
261 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
262 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
263 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
264 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
265 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
266 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
267 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0005_windows_sysmon_network_connection | - | - | - | |
268 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0008_windows_sysmon_FileCreate | - | - | - | |
269 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
270 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
271 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0006_windows_sysmon_image_loaded | - | - | - | |
272 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0003_windows_sysmon_process_creation | - | - | - | |
273 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
274 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0005_windows_sysmon_network_connection | - | - | - | |
275 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0008_windows_sysmon_FileCreate | - | - | - | |
276 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
277 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
278 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0006_windows_sysmon_image_loaded | - | - | - | |
279 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0003_windows_sysmon_process_creation | - | - | - | |
280 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
281 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
282 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
283 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
284 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
285 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
286 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
287 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
288 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
289 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
290 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
291 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
292 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
293 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
294 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
295 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0005_windows_sysmon_network_connection | - | - | - | |
296 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0008_windows_sysmon_FileCreate | - | - | - | |
297 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
298 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
299 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0006_windows_sysmon_image_loaded | - | - | - | |
300 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0003_windows_sysmon_process_creation | - | - | - | |
301 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
302 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0005_windows_sysmon_network_connection | - | - | - | |
303 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0008_windows_sysmon_FileCreate | - | - | - | |
304 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
305 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
306 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0006_windows_sysmon_image_loaded | - | - | - | |
307 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0003_windows_sysmon_process_creation | - | - | - | |
308 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
309 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
310 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
311 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
312 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
313 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
314 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
315 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
316 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0005_windows_sysmon_network_connection | - | - | - | |
317 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0008_windows_sysmon_FileCreate | - | - | - | |
318 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
319 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
320 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0006_windows_sysmon_image_loaded | - | - | - | |
321 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0003_windows_sysmon_process_creation | - | - | - | |
322 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
323 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0005_windows_sysmon_network_connection | - | - | - | |
324 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0008_windows_sysmon_FileCreate | - | - | - | |
325 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
326 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
327 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0006_windows_sysmon_image_loaded | - | - | - | |
328 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0003_windows_sysmon_process_creation | - | - | - | |
329 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
330 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
331 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
332 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
333 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
334 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
335 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
336 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
337 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
338 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
339 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
340 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
341 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
342 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
343 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
344 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
345 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
346 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
347 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
348 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
349 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
350 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
351 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0005_windows_sysmon_network_connection | - | - | - | |
352 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0008_windows_sysmon_FileCreate | - | - | - | |
353 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
354 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
355 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0006_windows_sysmon_image_loaded | - | - | - | |
356 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
357 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
358 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
359 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
360 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
361 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
362 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
363 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
364 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
365 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
366 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
367 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
368 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
369 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
370 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
371 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
372 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
373 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
374 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
375 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
376 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
377 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
378 | TA0002: Execution | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
379 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
380 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0008_windows_sysmon_FileCreate | - | - | - | |
381 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
382 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
383 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0006_windows_sysmon_image_loaded | - | - | - | |
384 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0003_windows_sysmon_process_creation | - | - | - | |
385 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
386 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0005_windows_sysmon_network_connection | - | - | - | |
387 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0008_windows_sysmon_FileCreate | - | - | - | |
388 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
389 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
390 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0006_windows_sysmon_image_loaded | - | - | - | |
391 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0003_windows_sysmon_process_creation | - | - | - | |
392 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
393 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0005_windows_sysmon_network_connection | - | - | - | |
394 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0008_windows_sysmon_FileCreate | - | - | - | |
395 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
396 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
397 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0006_windows_sysmon_image_loaded | - | - | - | |
398 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0003_windows_sysmon_process_creation | - | - | - | |
399 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
400 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
401 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
402 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
403 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
404 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
405 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
406 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
407 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0005_windows_sysmon_network_connection | - | - | - | |
408 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0008_windows_sysmon_FileCreate | - | - | - | |
409 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
410 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
411 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0006_windows_sysmon_image_loaded | - | - | - | |
412 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0003_windows_sysmon_process_creation | - | - | - | |
413 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
414 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0005_windows_sysmon_network_connection | - | - | - | |
415 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0008_windows_sysmon_FileCreate | - | - | - | |
416 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
417 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
418 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0006_windows_sysmon_image_loaded | - | - | - | |
419 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0003_windows_sysmon_process_creation | - | - | - | |
420 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
421 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
422 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
423 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
424 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
425 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
426 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
427 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
428 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
429 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
430 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
431 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
432 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
433 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
434 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
435 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0005_windows_sysmon_network_connection | - | - | - | |
436 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0008_windows_sysmon_FileCreate | - | - | - | |
437 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
438 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
439 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0006_windows_sysmon_image_loaded | - | - | - | |
440 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0003_windows_sysmon_process_creation | - | - | - | |
441 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
442 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0005_windows_sysmon_network_connection | - | - | - | |
443 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0008_windows_sysmon_FileCreate | - | - | - | |
444 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
445 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
446 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0006_windows_sysmon_image_loaded | - | - | - | |
447 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0003_windows_sysmon_process_creation | - | - | - | |
448 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
449 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
450 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
451 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
452 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
453 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
454 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
455 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
456 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0005_windows_sysmon_network_connection | - | - | - | |
457 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0008_windows_sysmon_FileCreate | - | - | - | |
458 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
459 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
460 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0006_windows_sysmon_image_loaded | - | - | - | |
461 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0003_windows_sysmon_process_creation | - | - | - | |
462 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
463 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0005_windows_sysmon_network_connection | - | - | - | |
464 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0008_windows_sysmon_FileCreate | - | - | - | |
465 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
466 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
467 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0006_windows_sysmon_image_loaded | - | - | - | |
468 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0003_windows_sysmon_process_creation | - | - | - | |
469 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
470 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
471 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
472 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
473 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
474 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
475 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
476 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
477 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
478 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
479 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
480 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
481 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
482 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
483 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
484 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
485 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
486 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
487 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
488 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
489 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
490 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
491 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0005_windows_sysmon_network_connection | - | - | - | |
492 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0008_windows_sysmon_FileCreate | - | - | - | |
493 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
494 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
495 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0006_windows_sysmon_image_loaded | - | - | - | |
496 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
497 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
498 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
499 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
500 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
501 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
502 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
503 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
504 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
505 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
506 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
507 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
508 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
509 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
510 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
511 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
512 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
513 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
514 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
515 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
516 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
517 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
518 | TA0002: Execution | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
519 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
520 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0008_windows_sysmon_FileCreate | - | - | - | |
521 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
522 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
523 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0006_windows_sysmon_image_loaded | - | - | - | |
524 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0003_windows_sysmon_process_creation | - | - | - | |
525 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
526 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0005_windows_sysmon_network_connection | - | - | - | |
527 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0008_windows_sysmon_FileCreate | - | - | - | |
528 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
529 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
530 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0006_windows_sysmon_image_loaded | - | - | - | |
531 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0003_windows_sysmon_process_creation | - | - | - | |
532 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
533 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0005_windows_sysmon_network_connection | - | - | - | |
534 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0008_windows_sysmon_FileCreate | - | - | - | |
535 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
536 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
537 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0006_windows_sysmon_image_loaded | - | - | - | |
538 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0003_windows_sysmon_process_creation | - | - | - | |
539 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
540 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
541 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
542 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
543 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
544 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
545 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
546 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
547 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0005_windows_sysmon_network_connection | - | - | - | |
548 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0008_windows_sysmon_FileCreate | - | - | - | |
549 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
550 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
551 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0006_windows_sysmon_image_loaded | - | - | - | |
552 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0003_windows_sysmon_process_creation | - | - | - | |
553 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
554 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0005_windows_sysmon_network_connection | - | - | - | |
555 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0008_windows_sysmon_FileCreate | - | - | - | |
556 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
557 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
558 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0006_windows_sysmon_image_loaded | - | - | - | |
559 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0003_windows_sysmon_process_creation | - | - | - | |
560 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
561 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
562 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
563 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
564 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
565 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
566 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
567 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
568 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
569 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
570 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
571 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
572 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
573 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
574 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
575 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0005_windows_sysmon_network_connection | - | - | - | |
576 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0008_windows_sysmon_FileCreate | - | - | - | |
577 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
578 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
579 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0006_windows_sysmon_image_loaded | - | - | - | |
580 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0003_windows_sysmon_process_creation | - | - | - | |
581 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
582 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0005_windows_sysmon_network_connection | - | - | - | |
583 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0008_windows_sysmon_FileCreate | - | - | - | |
584 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
585 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
586 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0006_windows_sysmon_image_loaded | - | - | - | |
587 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0003_windows_sysmon_process_creation | - | - | - | |
588 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
589 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
590 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
591 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
592 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
593 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
594 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
595 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
596 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0005_windows_sysmon_network_connection | - | - | - | |
597 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0008_windows_sysmon_FileCreate | - | - | - | |
598 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
599 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
600 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0006_windows_sysmon_image_loaded | - | - | - | |
601 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0003_windows_sysmon_process_creation | - | - | - | |
602 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
603 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0005_windows_sysmon_network_connection | - | - | - | |
604 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0008_windows_sysmon_FileCreate | - | - | - | |
605 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
606 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
607 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0006_windows_sysmon_image_loaded | - | - | - | |
608 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0003_windows_sysmon_process_creation | - | - | - | |
609 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
610 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
611 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
612 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
613 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
614 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
615 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
616 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
617 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
618 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
619 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
620 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
621 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
622 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
623 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
624 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
625 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
626 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
627 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
628 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
629 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
630 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
631 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0005_windows_sysmon_network_connection | - | - | - | |
632 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0008_windows_sysmon_FileCreate | - | - | - | |
633 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
634 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
635 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0006_windows_sysmon_image_loaded | - | - | - | |
636 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
637 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
638 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
639 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
640 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
641 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
642 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
643 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
644 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
645 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
646 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
647 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
648 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
649 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
650 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
651 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
652 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
653 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
654 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
655 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
656 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
657 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
658 | TA0003: Persistence | T1053: Scheduled Task | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
659 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
660 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0008_windows_sysmon_FileCreate | - | - | - | |
661 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
662 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
663 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0006_windows_sysmon_image_loaded | - | - | - | |
664 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0003_windows_sysmon_process_creation | - | - | - | |
665 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
666 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0005_windows_sysmon_network_connection | - | - | - | |
667 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0008_windows_sysmon_FileCreate | - | - | - | |
668 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
669 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
670 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0006_windows_sysmon_image_loaded | - | - | - | |
671 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0003_windows_sysmon_process_creation | - | - | - | |
672 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0009_5_windows_sysmon_process_terminated | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
673 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0005_windows_sysmon_network_connection | - | - | - | |
674 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0008_windows_sysmon_FileCreate | - | - | - | |
675 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
676 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
677 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0006_windows_sysmon_image_loaded | - | - | - | |
678 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0003_windows_sysmon_process_creation | - | - | - | |
679 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
680 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
681 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
682 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
683 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
684 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
685 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
686 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0010_6_windows_sysmon_driver_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
687 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0005_windows_sysmon_network_connection | - | - | - | |
688 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0008_windows_sysmon_FileCreate | - | - | - | |
689 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
690 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
691 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0006_windows_sysmon_image_loaded | - | - | - | |
692 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0003_windows_sysmon_process_creation | - | - | - | |
693 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0019_15_windows_sysmon_FileCreateStreamHash | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
694 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0005_windows_sysmon_network_connection | - | - | - | |
695 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0008_windows_sysmon_FileCreate | - | - | - | |
696 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
697 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
698 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0006_windows_sysmon_image_loaded | - | - | - | |
699 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0003_windows_sysmon_process_creation | - | - | - | |
700 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0012_8_windows_sysmon_CreateRemoteThread | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
701 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
702 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
703 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
704 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
705 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
706 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
707 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0023_20_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
708 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
709 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
710 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
711 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
712 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
713 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
714 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0024_21_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
715 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0005_windows_sysmon_network_connection | - | - | - | |
716 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0008_windows_sysmon_FileCreate | - | - | - | |
717 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
718 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
719 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0006_windows_sysmon_image_loaded | - | - | - | |
720 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0003_windows_sysmon_process_creation | - | - | - | |
721 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0008_4_windows_sysmon_sysmon_service_state_changed | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
722 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0005_windows_sysmon_network_connection | - | - | - | |
723 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0008_windows_sysmon_FileCreate | - | - | - | |
724 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
725 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
726 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0006_windows_sysmon_image_loaded | - | - | - | |
727 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0003_windows_sysmon_process_creation | - | - | - | |
728 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0013_9_windows_sysmon_RawAccessRead | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
729 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
730 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
731 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
732 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
733 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
734 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
735 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
736 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0005_windows_sysmon_network_connection | - | - | - | |
737 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0008_windows_sysmon_FileCreate | - | - | - | |
738 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
739 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
740 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0006_windows_sysmon_image_loaded | - | - | - | |
741 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0003_windows_sysmon_process_creation | - | - | - | |
742 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0014_10_windows_sysmon_ProcessAccess | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
743 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0005_windows_sysmon_network_connection | - | - | - | |
744 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0008_windows_sysmon_FileCreate | - | - | - | |
745 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
746 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
747 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0006_windows_sysmon_image_loaded | - | - | - | |
748 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0003_windows_sysmon_process_creation | - | - | - | |
749 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
750 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0005_windows_sysmon_network_connection | - | - | - | |
751 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0008_windows_sysmon_FileCreate | - | - | - | |
752 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
753 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
754 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0006_windows_sysmon_image_loaded | - | - | - | |
755 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0003_windows_sysmon_process_creation | - | - | - | |
756 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0011_7_windows_sysmon_image_loaded | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
757 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
758 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
759 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
760 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
761 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
762 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
763 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0016_12_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
764 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
765 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
766 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
767 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
768 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
769 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
770 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0022_19_windows_sysmon_WmiEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
771 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0005_windows_sysmon_network_connection | - | - | - | |
772 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0008_windows_sysmon_FileCreate | - | - | - | |
773 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
774 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
775 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0006_windows_sysmon_image_loaded | - | - | - | |
776 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
777 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
778 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
779 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
780 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
781 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
782 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
783 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
784 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
785 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
786 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
787 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
788 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
789 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
790 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
791 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0018_14_windows_sysmon_RegistryEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
792 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0005_windows_sysmon_network_connection | - | - | - | |
793 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0008_windows_sysmon_FileCreate | - | - | - | |
794 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0010_windows_sysmon_WmiEvent | - | - | - | |
795 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0007_windows_sysmon_ProcessAccess | - | - | - | |
796 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0006_windows_sysmon_image_loaded | - | - | - | |
797 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
798 | TA0003: Persistence | T1086: PowerShell | Default PowerSploit Schtasks Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
799 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
800 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
801 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
802 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
803 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
804 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
805 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
806 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
807 | TA0005: Defense Evasion | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
808 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
809 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
810 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
811 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
812 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
813 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
814 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
815 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
816 | TA0005: Defense Evasion | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
817 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
818 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
819 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
820 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
821 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
822 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
823 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
824 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
825 | TA0006: Credential Access | T1036: Masquerading | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
826 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
827 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
828 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
829 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
830 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
831 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
832 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
833 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
834 | TA0006: Credential Access | T1003: Credential Dumping | Suspicious Use of Procdump | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
835 | TA0005: Defense Evasion | T1107: File Deletion | Backup Catalog Deleted | - | - | - | - | - | - | - | - | - | - | |
836 | TA0006: Credential Access | T1212: Exploitation for Credential Access | Kerberos Manipulation | - | - | - | - | - | - | - | - | - | - | |
837 | TA0003: Persistence | T1100: Web Shell | Antivirus Web Shell Detection | - | - | - | - | - | - | - | - | - | - | |
838 | TA0003: Persistence | T1084: Windows Management Instrumentation Event Subscription | WMI Persistence - Script Event Consumer File Write | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0008_windows_sysmon_FileCreate | - | - | - | |
839 | TA0005: Defense Evasion | T1085: Rundll32 | Rundll32 Internet Connection | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
840 | TA0002: Execution | T1085: Rundll32 | Rundll32 Internet Connection | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0007_3_windows_sysmon_network_connection | LP_0005_windows_sysmon_network_connection | - | - | - | |
841 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
842 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
843 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
844 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
845 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
846 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
847 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
848 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
849 | TA0003: Persistence | T1100: Web Shell | IIS Native-Code Module Command Line Installation | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
850 | TA0002: Execution | T1203: Exploitation for Client Execution | Antivirus Exploitation Framework Detection | - | - | - | - | - | - | - | - | - | - | |
851 | TA0002: Execution | T1219: Remote Access Tools | Antivirus Exploitation Framework Detection | - | - | - | - | - | - | - | - | - | - | |
852 | TA0011: Command and Control | T1203: Exploitation for Client Execution | Antivirus Exploitation Framework Detection | - | - | - | - | - | - | - | - | - | - | |
853 | TA0011: Command and Control | T1219: Remote Access Tools | Antivirus Exploitation Framework Detection | - | - | - | - | - | - | - | - | - | - | |
854 | TA0005: Defense Evasion | T1055: Process Injection | Malicious Named Pipe | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0021_18_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
855 | TA0005: Defense Evasion | T1055: Process Injection | Malicious Named Pipe | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0020_17_windows_sysmon_PipeEvent | LP_0009_windows_sysmon_PipeEvent | - | - | - | |
856 | TA0003: Persistence | T1060: Registry Run Keys / Startup Folder | Registry Persistence via Explorer Run Key | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
857 | TA0006: Credential Access | T1212: Exploitation for Credential Access | Possible Remote Password Change Through SAMR | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0032_5145_network_share_object_was_accessed_detailed | LP_0029_windows_audit_detailed_file_share | - | - | - | |
858 | TA0006: Credential Access | T1212: Exploitation for Credential Access | Possible Remote Password Change Through SAMR | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0032_5145_network_share_object_was_accessed_detailed | LP_0026_windows_audit_user_account_management | - | - | - | |
859 | TA0006: Credential Access | T1212: Exploitation for Credential Access | Possible Remote Password Change Through SAMR | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0027_4738_user_account_was_changed | LP_0029_windows_audit_detailed_file_share | - | - | - | |
860 | TA0006: Credential Access | T1212: Exploitation for Credential Access | Possible Remote Password Change Through SAMR | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0027_4738_user_account_was_changed | LP_0026_windows_audit_user_account_management | - | - | - | |
861 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
862 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
863 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
864 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
865 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
866 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
867 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
868 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
869 | TA0006: Credential Access | T1003: Credential Dumping | Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
870 | TA0006: Credential Access | T1003: Credential Dumping | Antivirus Password Dumper Detection | - | - | - | - | - | - | - | - | - | - | |
871 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
872 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
873 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
874 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
875 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
876 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
877 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
878 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
879 | TA0005: Defense Evasion | T1140: Deobfuscate/Decode Files or Information | Suspicious Commandline Escape | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
880 | TA0002: Execution | T1086: PowerShell | Detection of PowerShell Execution via DLL | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
881 | TA0002: Execution | T1086: PowerShell | PowerShell PSAttack | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
882 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Invocations - Specific | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0037_4103_windows_powershell_executing_pipeline | - | - | - | - | |
883 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Invocations - Specific | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-PowerShell/Operational | Microsoft-Windows-PowerShell | DN_0036_4104_windows_powershell_script_block | - | - | - | - | |
884 | TA0008: Lateral Movement | T1075: Pass the Hash | Pass the Hash Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0004_4624_windows_account_logon | LP_0004_windows_audit_logon | - | - | - | |
885 | TA0008: Lateral Movement | T1077: Windows Admin Shares | Access to ADMIN$ Share | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0033_5140_network_share_object_was_accessed | LP_0030_windows_audit_file_share | - | - | - | |
886 | TA0002: Execution | T1086: PowerShell | Malicious PowerShell Commandlet Names | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0015_11_windows_sysmon_FileCreate | LP_0008_windows_sysmon_FileCreate | - | - | - | |
887 | TA0002: Execution | T1086: PowerShell | Suspicious PowerShell Parameter Substring | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
888 | TA0005: Defense Evasion | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
889 | TA0005: Defense Evasion | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
890 | TA0005: Defense Evasion | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | - | - | - | - | |
891 | TA0005: Defense Evasion | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
892 | TA0004: Privilege Escalation | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
893 | TA0004: Privilege Escalation | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | LP_0003_windows_sysmon_process_creation | - | - | - | |
894 | TA0004: Privilege Escalation | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | - | - | - | - | |
895 | TA0004: Privilege Escalation | T1088: Bypass User Account Control | UAC Bypass via Event Viewer | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
896 | TA0006: Credential Access | T1003: Credential Dumping | Password Dumper Activity on LSASS | - | - | - | - | - | - | - | - | - | - | |
897 | TA0003: Persistence | T1060: Registry Run Keys / Startup Folder | New RUN Key Pointing to Suspicious Folder | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0017_13_windows_sysmon_RegistryEvent | - | - | - | - | |
898 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | DN_0081_5861_wmi_activity | - | - | - | - | |
899 | TA0002: Execution | T1047: Windows Management Instrumentation | WMI Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | DN_0080_5859_wmi_activity | - | - | - | - | |
900 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | DN_0081_5861_wmi_activity | - | - | - | - | |
901 | TA0003: Persistence | T1047: Windows Management Instrumentation | WMI Persistence | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-WMI-Activity/Operational | Microsoft-Windows-WMI-Activity | DN_0080_5859_wmi_activity | - | - | - | - | |
902 | TA0006: Credential Access | T1003: Credential Dumping | LSASS Access Detected via Attack Surface Reduction | - | - | - | - | - | - | - | - | - | - | |
903 | TA0002: Execution | T1053: Scheduled Task | Scheduled Task Creation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
904 | TA0003: Persistence | T1053: Scheduled Task | Scheduled Task Creation | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
905 | TA0003: Persistence | T1078: Valid Accounts | Multiple Failed Logins with Different Accounts from Single Source System | - | - | - | - | - | - | - | - | - | - | |
906 | TA0004: Privilege Escalation | T1078: Valid Accounts | Multiple Failed Logins with Different Accounts from Single Source System | - | - | - | - | - | - | - | - | - | - | |
907 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
908 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
909 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
910 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
911 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
912 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
913 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
914 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
915 | TA0005: Defense Evasion | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
916 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
917 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
918 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0001_4688_windows_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
919 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0001_windows_audit_process_creation | - | - | - | |
920 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0003_windows_sysmon_process_creation | - | - | - | |
921 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Applications and Services Logs | Microsoft-Windows-Sysmon/Operational | Microsoft-Windows-Sysmon | DN_0003_1_windows_sysmon_process_creation | LP_0002_windows_audit_process_creation_with_commandline | - | - | - | |
922 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0001_windows_audit_process_creation | - | - | - | |
923 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0003_windows_sysmon_process_creation | - | - | - | |
924 | TA0002: Execution | T1085: Rundll32 | Suspicious Rundll32 Activity | OS Logs | Windows | Windows Log | Security | Microsoft-Windows-Security-Auditing | DN_0002_4688_windows_process_creation_with_commandline | LP_0002_windows_audit_process_creation_with_commandline | - | - | - |